Hello!
At first: This is my very first patch I've ever made, so
maybe I'm doing something wrong in the way I release this
but I was unable to find a detailed description or HOWTO
to do this.
The patch is very simple. It lets you toggle the behavior
of how to react on packets to unconnected ports. This is
done using Config.in.
Scanning tools such as nmap (I guess it's pretty famous)
used the ACK+RST, which would be sent if my option wouldn't
be activated, to scan for open ports. My patch does nothing
like that, it only prints a kernel message with level
KERN_DEBUG like that:
127.0.0.1 tried closed TCP socket port 24
Yes, with the decoy option of nmap it's possible to make
this debugging output useless.
I used the diff -u to produce the diff files. The original
files are named *.orig - but see that in the attachements.
Oh yes, this is against 2.1.132.
- Hope that was all -
Bye.
-- Joachim Baran jbaran@hildesheim.sgh-net.de Breslauerstr.18 http://prinz.hannover.sgh-net.de/~jbaran 31171 Mahlerten Network Administration Lower Saxony/Germany and Programming
--oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="tcp_ipv4.c.diff"
--- net/ipv4/tcp_ipv4.c.orig Sun Dec 27 14:29:16 1998 +++ net/ipv4/tcp_ipv4.c Thu Jan 7 10:55:09 1999 @@ -25,6 +25,9 @@ /* * Changes: + * Joachim Baran : Dropping of packets to unconnected + * sockets. This make the NULL and + * FIN 'stealth' scan obsolete. * David S. Miller : New socket lookup architecture. * This code is dedicated to John Dyson. * David S. Miller : Change semantics of established hash, @@ -1693,8 +1696,15 @@ return 0; no_tcp_socket: +#ifdef CONFIG_TCP_ACKRST + printk(KERN_DEBUG "%d.%d.%d.%d tried closed TCP socket port %d\n", + NIPQUAD(skb->nh.iph->saddr), + ntohs(th->dest) + ); +#else tcp_v4_send_reset(skb); - +#endif + discard_it: /* Discard frame. */ kfree_skb(skb);
--oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="Config.in.diff"
--- net/ipv4/Config.in.orig Thu Dec 31 22:29:23 1998 +++ net/ipv4/Config.in Fri Jan 1 20:53:46 1999 @@ -79,6 +79,7 @@ #bool 'IP: Disable NAGLE algorithm (normally enabled)' CONFIG_TCP_NAGLE_OFF bool 'IP: Drop source routed frames' CONFIG_IP_NOSR bool 'IP: Allow large windows (not recommended if <16Mb of memory)' CONFIG_SKB_LARGE +bool 'IP: Do not send an ACK+RST if socket is not reachable' CONFIG_TCP_ACKRST #if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then #bool 'IP: support experimental checksum copy to user for UDP' CONFIG_UDP_DELAY_CSUM #fi
--oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="Configure.help.diff"
--- Documentation/Configure.help.orig Thu Dec 31 22:53:05 1998 +++ Documentation/Configure.help Thu Jan 7 10:53:22 1999 @@ -2684,6 +2684,16 @@ Mbit a second or satellite links this option will make no difference to performance. +IP: Do not send an ACK+RST if socket is not reachable +CONFIG_TCP_ACKRST + A TCP packet sent to a closed socket would usually cause an + ACK+RST send. Scanners such as nmap use this to scan for + open ports on your system. To permit sending an ACK+RST on + closed sockets enable this option. (In fact: NULL and FIN TCP + packets enable this scanning method called "stealth scanning") + + If unsure, say N (because you can not track the information). + Unix domain sockets CONFIG_UNIX This includes Unix domain sockets, the standard Unix mechanism for
--oyUTqETQ0mS9luUI--
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/