i wondering about the ttl for the sshd on solaris 9 ... i read that you can change it to a different value to fool some OS "fingerprinting" tools such as queso or nmap. the default value is 255, i've tried to set it to 155 and 55 but nmap still see that port 22 is opend. do you know something about that?
root@xxx # uname -a
SunOS xxx 5.9 Generic_118558-06 sun4u sparc SUNW,Ultra-1
root@xxx # ndd -get /dev/ip ip_def_ttl
255
root@xxx # ndd -set /dev/ip ip_def_ttl 55
root@xxx # ndd -get /dev/ip ip_def_ttl
55
BUT still:
pressytest@gentoo ~ # nmap -v 192.168.133.122
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-20 19:48 MEST
Initiating SYN Stealth Scan against 192.168.133.122 [1663 ports] at 19:48
Discovered open port 22/tcp on 192.168.133.122
Increasing send delay for 192.168.133.122 from 0 to 5 due to 18 out of 58 dropped probes since last increase.
Increasing send delay for 192.168.133.122 from 5 to 10 due to max_successful_tryno increase to 4
Increasing send delay for 192.168.133.122 from 10 to 20 due to max_successful_tryno increase to 5
The SYN Stealth Scan took 44.66s to scan 1663 total ports.
Host 192.168.133.122 appears to be up ... good.
Interesting ports on 192.168.133.122:
(The 1662 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 08:00:20:xx:xx:xx (SUN Microsystems)
Nmap finished: 1 IP address (1 host up) scanned in 44.997 seconds
Raw packets sent: 1984 (79.3KB) | Rcvd: 1664 (76.5KB)
pressytest@gentoo ~ #
??? what would be a good value to prevent "easy&fast" remote portscanners to see it and make it "invisible"?
The idea with fingerprinting is that you know an ip address that seems to be a computer. Now you want to know the brand (Solaris, HP-UX, AIX, etc). Once you know that it is, say, a Solaris box, you then try known Solaris weaknesses. Since, by default, Solaris uses 255 as a TTL, if you see a TTL of 255, it might be Solaris. The trouble is that 255 is the max for TTL, and in the 90's a few OS's got burned with TTL's that were too small. My impression is that most vendors cranked TTL up to the max. If you really feel the need to fiddle with TTL, keep it high. 155 is not too bad. You might regret 55 though.
Changing the TTL is not going to close a port. You're trying to make them think you have a Linix box or something. That way they spend all the time hitting you with Linux attacks rather than Solaris attacks.
This is a bunch of jive if you ask me. Keep your Solaris box well patched and then you should not care if the bad guys know it's Solaris. Security by obscurity does not work. But here is a another opinion.
thx mate, got it. i read through the link that's a good explanation. i see that it makes no seens on my configuration because:
pressytest@gentoo ~ # telnet 192.168.133.122 22
Trying 192.168.133.122...
Connected to 192.168.133.122.
Escape character is '^]'.
SSH-2.0-Sun_SSH_1.0.1
exit
Connection closed by foreign host.
pressytest@gentoo ~ #
AND:
MAC Address: 08:00:20:xx:xx:xx (SUN Microsystems)
would have to change my ssh server to openssh and make a dummy MAC for an other vendor. true, should work fine with a patched system.
thanks again
greetings PRESSY
Hi there,
There is another good and fun way to hide any particular services on your box, you may take a look at this portknocking.org, any port scanner is useless against this new "kind of connecting"
