How can I hide an Open port from Scanners?

[hack3rcon]

Hello.
I wan to open some ports on my system but I don't like Scanners like Nmap find it, Can anyone show me some tricks about it?
What is your idea about "http://www.portknocking.org/" ?


Thank you.

[reeaws]

i think u did answer ur question, i am using this method on Debian.

[kenjoe41]

You could do port knocking all the way if it is what you want but there are a few alternatives to try out. It also depends on the service you want to hide. But security through obscurity is shit security. Google on how to bypass port knocking measures. And unless you have alot of scanning attempts on you port and need to have better use of your logs, port moving is also just a simple measure to reduce log clutter.

The better choices are to keep your system updated with the latest security patches and harden any services that need authentication. Here we go;

My choice, though it might be better if its a corporate network, is to hide the service behind a VPN.
Other choice is to do a client-side certificate.
Other choice, use PKI.
And for SSH, fail2ban can be a good choice or any other rate limiting measures.

Don't fear port scans, embrace them.

[hack3rcon]

You could do port knocking all the way if it is what you want but there are a few alternatives to try out. It also depends on the service you want to hide. But security through obscurity is shit security. Google on how to bypass port knocking measures. And unless you have alot of scanning attempts on you port and need to have better use of your logs, port moving is also just a simple measure to reduce log clutter.

The better choices are to keep your system updated with the latest security patches and harden any services that need authentication. Here we go;

My choice, though it might be better if its a corporate network, is to hide the service behind a VPN.
Other choice is to do a client-side certificate.
Other choice, use PKI.
And for SSH, fail2ban can be a good choice or any other rate limiting measures.

Don't fear port scans, embrace them.

Thank you so much.
I though Port Knocking is just for SSH !!! I use fail2ban too.

[proxx]

Just set SSH to some high port and use key negotiation only, pretty much unbreakable, the first exploit is still to be found.
SSH must be one of the most solid daemons out there.

From there you can also do ssh -p 12345 -L 80:somewebserveronyourlan:8000 user@somehost.com
This will give you localhost:8000 and you can connect to the remote locally hosted (web)server if your SSH host has access to it.
I use this on a daily basis, very nifty stuff.
Can be used from putty or any nix or mac box, thus cross platform out-of-the-box, do I need 2 say more?

'Hide' yeah ..
Does it really matter ?

But if you really want to hide just setup an IP filter on the NAT port so only specific hosts can access it, thats as hidden as it gets.
In IPtables it would look something like this:
iptables -I INPUT -p tcp -s REMOTEIPADDR --dport 22 -j ACCEPT

[hack3rcon]

Just set SSH to some high port and use key negotiation only, pretty much unbreakable, the first exploit is still to be found.
SSH must be one of the most solid daemons out there.

From there you can also do ssh -p 12345 -L 80:somewebserveronyourlan:8000 user@somehost.com
This will give you localhost:8000 and you can connect to the remote locally hosted (web)server if your SSH host has access to it.
I use this on a daily basis, very nifty stuff.
Can be used from putty or any nix or mac box, thus cross platform out-of-the-box, do I need 2 say more?

'Hide' yeah ..
Does it really matter ?

But if you really want to hide just setup an IP filter on the NAT port so only specific hosts can access it, thats as hidden as it gets.
In IPtables it would look something like this:
iptables -I INPUT -p tcp -s REMOTEIPADDR --dport 22 -j ACCEPT

It is my iptable rules :





Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
           tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: SET name: DEFAULT side: source
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: UPDATE seconds: 180 hit_count: 4 name: DEFAULT side: source
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere








In your idea can it enough ?