This is a patch to prevent stealth,fin,rst scans and slows down the tcp connect scan. well on the 2.4.16 kernel it doesnt Fingerprint the remote os . tested on debian potato running 2.4.16 Tested with nmap and queso . well you have to recompile your kernel with the nmap-freak-patch option checked and to turn on the antiscan feature you can set it using proc echo 1 > /proc/sys/net/ipv4/tcp_restrict echo 1 > /proc/sys/net/ipv4/icmp_restrict jaguar@vcert.org ----------------cut here------------------------ Only in linux-2.4.16/net/ipv4/: .depend diff -uxr kernel-source-2.4.16/net/ipv4/Config.in linux-2.4.16/net/ipv4/Config.in --- kernel-source-2.4.16/net/ipv4/Config.in Sat Sep 29 08:13:17 2001 +++ linux-2.4.16/net/ipv4/Config.in Mon Jan 28 05:59:51 2002 @@ -48,6 +48,7 @@ bool ' IP: disable ECN support by default' CONFIG_INET_ECN_DISABLED fi bool ' IP: TCP syncookie support (disabled per default)' CONFIG_SYN_COOKIES +bool ' IP: NMAP freak patch ' NMAP_FREAK_PATCH if [ "$CONFIG_NETFILTER" != "n" ]; then source net/ipv4/netfilter/Config.in fi diff -uxr kernel-source-2.4.16/net/ipv4/icmp.c linux-2.4.16/net/ipv4/icmp.c --- kernel-source-2.4.16/net/ipv4/icmp.c Thu Nov 8 04:09:36 2001 +++ linux-2.4.16/net/ipv4/icmp.c Mon Jan 28 05:47:52 2002 @@ -143,6 +143,10 @@ int sysctl_icmp_echo_ignore_all; int sysctl_icmp_echo_ignore_broadcasts; +#ifdef NMAP_FREAK_PATCH +int sysctl_icmp_restrict = 0; +#endif + /* Control parameter - ignore bogus broadcast responses? */ int sysctl_icmp_ignore_bogus_error_responses; @@ -783,7 +787,10 @@ icmp_param.offset=0; icmp_param.data_len=0; icmp_param.head_len=sizeof(struct icmphdr)+12; +#ifdef NMAP_FREAK_PATCH + if(!sysctl_icmp_restrict) icmp_reply(&icmp_param, skb); +#endif } Common subdirectories: kernel-source-2.4.16/net/ipv4/netfilter and linux-2.4.16/net/ipv4/netfilter diff -uxr kernel-source-2.4.16/net/ipv4/sysctl_net_ipv4.c linux-2.4.16/net/ipv4/sysctl_net_ipv4.c --- kernel-source-2.4.16/net/ipv4/sysctl_net_ipv4.c Wed Oct 31 04:38:12 2001 +++ linux-2.4.16/net/ipv4/sysctl_net_ipv4.c Mon Jan 28 06:13:38 2002 @@ -35,6 +35,11 @@ extern int sysctl_icmp_ratelimit; extern int sysctl_icmp_ratemask; +#ifdef NMAP_FREAK_PATCH +extern int sysctl_icmp_restrict; +extern int sysctl_tcp_restrict; +#endif + /* From igmp.c */ extern int sysctl_igmp_max_memberships; @@ -153,6 +158,11 @@ {NET_TCP_SYNCOOKIES, "tcp_syncookies", &sysctl_tcp_syncookies, sizeof(int), 0644, NULL, &proc_dointvec}, #endif +#ifdef NMAP_FREAK_PATCH + {NET_IPV4_ICMP_RESTRICT , "icmp_restrict", &sysctl_icmp_restrict, sizeof(int), 0644, NULL, &proc_dointvec}, + {NET_IPV4_TCP_RESTRICT , "tcp_restrict", &sysctl_tcp_restrict, sizeof(int), 0644,NULL, &proc_dointvec}, +#endif + {NET_TCP_TW_RECYCLE, "tcp_tw_recycle", &sysctl_tcp_tw_recycle, sizeof(int), 0644, NULL, &proc_dointvec}, {NET_TCP_ABORT_ON_OVERFLOW, "tcp_abort_on_overflow", diff -uxr kernel-source-2.4.16/net/ipv4/tcp_ipv4.c linux-2.4.16/net/ipv4/tcp_ipv4.c --- kernel-source-2.4.16/net/ipv4/tcp_ipv4.c Mon Nov 5 23:16:12 2001 +++ linux-2.4.16/net/ipv4/tcp_ipv4.c Mon Jan 28 05:56:33 2002 @@ -63,6 +63,10 @@ #include #include +#ifdef NMAP_FREAK_PATCH +int sysctl_tcp_restrict = 0; +#endif + extern int sysctl_ip_dynaddr; /* Check TCP sequence numbers in ICMP packets. */ @@ -1038,6 +1042,12 @@ struct tcphdr *th = skb->h.th; struct tcphdr rth; struct ip_reply_arg arg; + +#ifdef NMAP_FREAK_PATCH +if(sysctl_tcp_restrict) +return; +#endif + /* Never send a reset in response to a reset. */ if (th->rst) -----------------------------------------------------------------