[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Prevent passive fingerprinting



And tweak Apache to lie for you too.
ErrorDocument is there for a reason ;-) 
You'll need to hack Apache to make it lie about it's ServerTokens,
and expose_php is another to add to the mix.
I've managed to get netcraft _really_ confused.  Of course none of
these is any real _protection_, but just like a firewall, they may
buy you more time to notice you're under attack.
Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:[email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Where do you want to go today?  Same as every day.... Windows Update.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of A.
Wright
Sent: Friday, February 06, 2004 9:41 PM
To: [email protected]
Subject: Re: Prevent passive fingerprinting
> > is there any option for pf to prevent passive os fingerprinting for 
> > the clients behind an obsd nat-box?
>
> Use 'module state' option on your 'pass out' rule to randomize TCP ISN 
> generation and options 'reassemble tcp timeout modulation', 'random-id'
> in your 'scrub' rule.
I've found that this does very little in the way of preventing OS
fingerprinting.  It does stop outsiders from guessing your uptime, but
that's about it.  From what I can tell, most OS fingerprinting is based on
the window size, ttl, SYN packet size, etc.  p0f is very educational if you
want to learn about it, especially the p0f.fp file
(http://lcamtuf.coredump.cx/p0f.shtml).  Setting min-ttl, or max-mss can
help, but p0f usually can still guess correctly using fuzzy matching.
I've found it much more effective to change some kernel variables.  Below
are some I've found useful on my FreeBSD systems:
net.inet.ip.ttl
net.inet.tcp.rfc1323
One of these makes more of a difference than the other, can't remember
which:
net.inet.tcp.recvspace
net.inet.tcp.sendspace
Here is a patch I've found to give you some control over TOS:
http://lists.freebsd.org/pipermail/freebsd-hackers/2003-May/001078.html
Just remember that if you're going to all this trouble to disguise your OS,
don't leave your OpenSSH banner on, like I did!  :-)
Aaron