我有一个 iptables 规则设置,如果地址连接到某些端口或任何未打开的端口,则将它们标记为可疑。如果在没有身份验证的情况下进行了三个以上的连续连接,则该地址被列入黑名单。黑名单发生后,远程主机被阻止访问所有端口。然而,尽管在地址被列入黑名单时丢弃数据包,nmap 仍然能够检测到主机已启动。nmap 使用什么来确定这一点?我怎样才能让主机完全消失,就像特斯拉线圈一样?
root@yellowtail:~# nmap -Pn 10.42.0.48
Starting Nmap 6.00 ( http://nmap.org ) at 2014-02-12 21:56 GMT
Nmap scan report for 10.42.0.48
Host is up (0.00022s latency).
All 1000 scanned ports on 10.42.0.48 are filtered
MAC Address: EC:43:F6:C0:B1:E8 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 22.11 seconds
更新:DROP 的规则路径
首先,在处理传入的新外部流量(我正在测试的)之前,处理已建立的和相关的外部连接流量......
-N ERIN
-A ERIN -m state --state INVALID -j DROPINVALID
-A ERIN -m state ! --state RELATED,ESTABLISHED -j RETURN
#-A ERIN -j LOG --log-prefix "RELATED,ESTABLISHED ACCEPT" --log-tcp-options --log-ip-options --log-level 7
-A ERIN -j ACCEPT
-N BLACKLIST
-A BLACKLIST -m recent --name whitelist --rcheck -m limit --limit 1/minute -j LOG --log-prefix "!BLACKLIST: WHITELISTED" --log-level 7
-A BLACKLIST -m recent --name whitelist --rcheck -j RETURN
-A BLACKLIST -s 4.79.142.206 -j LOG --log-prefix "!BLACKLIST: SHIELDS-UP" --log-level 7
-A BLACKLIST -s 4.79.142.206 -j RETURN
-A BLACKLIST -m recent --name blacklist ! --rcheck -j LOG --log-prefix "BLACKLIST" --log-tcp-options --log-ip-options --log-level 7
-A BLACKLIST -m recent --name blacklist --set
-A BLACKLIST -j DROP
-N BLACKLIST_IN
-A BLACKLIST_IN -m recent --name blacklist --rcheck --reap --seconds 172800
-A BLACKLIST_IN -m recent --name blacklist --rcheck -j LOG --log-prefix "BLACKLIST_IN RCHECK" --log-level 7
-A BLACKLIST_IN -m recent --name blacklist --rcheck -j BLACKLIST
-N WAN_IN
-A WAN_IN -j BLACKLIST_IN
...
-A INPUT -j ERIN
-A INPUT -i {EXT_IFACE} -j WAN_IN
...
这只是 iptables 中的相关路径。我已经通过我在整个规则集中乱扔的 LOG 消息确认了路径。
更新:启用 TRACE 后
这是通过第一个 nmap 数据包的规则集的路径namp -F 10.42.0.48
:
[ 7021.149480] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=xx SRC=...
[ 7021.173615] TRACE: mangle:PREROUTING:rule:2 IN=eth0 OUT= MAC=xx SRC...
[ 7021.197771] TRACE: mangle:HANDHELDS:rule:1 IN=eth0 OUT= MAC=xx SRC=...
[ 7021.221820] TRACE: mangle:PREROUTING:policy:3 IN=eth0 OUT= MAC=xx S...
[ 7021.246159] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC=xx SRC=10...
[ 7021.270094] TRACE: nat:UPNPD_PREROUTING:return:1 IN=eth0 OUT= MAC=x...
[ 7021.294688] TRACE: nat:PREROUTING:policy:6 IN=eth0 OUT= MAC=xx SRC=...
[ 7021.318757] TRACE: mangle:INPUT:policy:1 IN=eth0 OUT= MAC=xx SRC=10...
[ 7021.342657] TRACE: filter:INPUT:rule:2 IN=eth0 OUT= MAC=xx SRC=10.4...
[ 7021.366373] TRACE: filter:ERIN:rule:2 IN=eth0 OUT= MAC=xx SRC=10.42...
[ 7021.390054] TRACE: filter:INPUT:rule:3 IN=eth0 OUT= MAC=xx SRC=10.4...
[ 7021.413772] TRACE: filter:WAN_IN:rule:1 IN=eth0 OUT= MAC=xx SRC=10....
[ 7021.437591] TRACE: filter:BLACKLIST_IN:rule:1 IN=eth0 OUT= MAC=xx S...
[ 7021.461906] TRACE: filter:BLACKLIST_IN:rule:2 IN=eth0 OUT= MAC=xx S...
[ 7021.486269] BLACKLIST_IN RCHECKIN=eth0 OUT= MAC=xx SRC=10.42.0.1 DS...
[ 7021.506133] TRACE: filter:BLACKLIST_IN:rule:3 IN=eth0 OUT= MAC=xx S...
[ 7021.530447] TRACE: filter:BLACKLIST:rule:4 IN=eth0 OUT= MAC=xx SRC=...
[ 7021.554554] TRACE: filter:BLACKLIST:return:5 IN=eth0 OUT= MAC=xx SR...
更新 3
如果我只对单个端口进行端口扫描,它仍然能够识别出主机已启动。
root@yellowtail:~# nmap -Pn -p80 10.42.0.48
Starting Nmap 6.00 ( http://nmap.org ) at 2014-02-12 23:25 GMT
Nmap scan report for 10.42.0.48
Host is up (0.00022s latency).
PORT STATE SERVICE
80/tcp filtered http
MAC Address: EC:43:F6:C0:B1:E8 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
这是该扫描的整个 TRACE 输出:
[ 8565.051960] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= M
[ 8565.075775] TRACE: mangle:PREROUTING:rule:2 IN=eth0 OUT=
[ 8565.099686] TRACE: mangle:HANDHELDS:rule:1 IN=eth0 OUT= M
[ 8565.123557] TRACE: mangle:PREROUTING:policy:3 IN=eth0 OUT
[ 8565.147626] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC
[ 8565.171236] TRACE: nat:UPNPD_PREROUTING:return:1 IN=eth0
[ 8565.195551] TRACE: nat:PREROUTING:policy:6 IN=eth0 OUT= M
[ 8565.219400] TRACE: mangle:INPUT:policy:1 IN=eth0 OUT= MAC
[ 8565.243045] TRACE: filter:INPUT:rule:2 IN=eth0 OUT= MAC=
[ 8565.266520] TRACE: filter:ERIN:rule:2 IN=eth0 OUT= MAC= S
[ 8565.289870] TRACE: filter:INPUT:rule:3 IN=eth0 OUT= MAC=
[ 8565.313348] TRACE: filter:WAN_IN:rule:1 IN=eth0 OUT= MAC=
[ 8565.336940] TRACE: filter:BLACKLIST_IN:rule:1 IN=eth0 OUT
[ 8565.361017] TRACE: filter:BLACKLIST_IN:rule:2 IN=eth0 OUT
[ 8565.385057] BLACKLIST_IN RCHECKIN=eth0 OUT= MAC= SRC=10.4
[ 8565.404774] TRACE: filter:BLACKLIST_IN:rule:3 IN=eth0 OUT
[ 8565.428915] TRACE: filter:BLACKLIST:rule:4 IN=eth0 OUT= M
[ 8565.452702] TRACE: filter:BLACKLIST:return:5 IN=eth0 OUT=
[ 8565.476707] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= M
[ 8565.500509] TRACE: mangle:PREROUTING:rule:2 IN=eth0 OUT=
[ 8565.524408] TRACE: mangle:HANDHELDS:rule:1 IN=eth0 OUT= M
[ 8565.548252] TRACE: mangle:PREROUTING:policy:3 IN=eth0 OUT
[ 8565.572322] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC
[ 8565.595933] TRACE: nat:UPNPD_PREROUTING:return:1 IN=eth0
[ 8565.620263] TRACE: nat:PREROUTING:policy:6 IN=eth0 OUT= M
[ 8565.644118] TRACE: mangle:INPUT:policy:1 IN=eth0 OUT= MAC
[ 8565.667760] TRACE: filter:INPUT:rule:2 IN=eth0 OUT= MAC=
[ 8565.691207] TRACE: filter:ERIN:rule:2 IN=eth0 OUT= MAC= S
[ 8565.714579] TRACE: filter:INPUT:rule:3 IN=eth0 OUT= MAC=
[ 8565.738085] TRACE: filter:WAN_IN:rule:1 IN=eth0 OUT= MAC=
[ 8565.761640] TRACE: filter:BLACKLIST_IN:rule:1 IN=eth0 OUT
[ 8565.785705] TRACE: filter:BLACKLIST_IN:rule:2 IN=eth0 OUT
[ 8565.809747] BLACKLIST_IN RCHECKIN=eth0 OUT= MAC= SRC=10.4
[ 8565.829463] TRACE: filter:BLACKLIST_IN:rule:3 IN=eth0 OUT
[ 8565.853577] TRACE: filter:BLACKLIST:rule:4 IN=eth0 OUT= M
[ 8565.877387] TRACE: filter:BLACKLIST:return:5 IN=eth0 OUT=
它显示为“up”,因为您告诉 Nmap 跳过主机发现阶段并假设它已启动。这就是选项的
-Pn
含义。但是,即使没有此选项,您也可能会发现 Nmap 可以检测到您的系统。Nmap 的主机发现使用许多不同的探针来确定主机是否已启动。从与目标相同链路层(第 2 层)的地址扫描时,它会发送 ARP 请求以确定目标的第 2 层地址(MAC 地址)。目标以包含其 IP 地址和 MAC 地址的 ARP 响应进行响应。这就是 MAC 地址最终出现在上面的输出中的方式。
您不能使用 iptables 阻止此响应,因为它不是第 3 层协议。为此,您可以使用ebtables。然而,要意识到这并不是真正的威胁:如果你不能相信你自己局域网上的主机知道你已经启动了,那么你就会遇到更大的问题。
诊断“为什么 Nmap 说 X?”的问题 您可以使用该
--reason
选项,这将显示Nmap 为主机或端口选择特定状态的原因:最后一点:您应该始终尝试使用最新版本的 Nmap。6.40 版本于 2013 年 7 月取代了 6.00。