我正在寻找混淆端口扫描器的方法。我确实知道这没什么用,但它主要是为了减慢攻击者的速度,同时也避免最终出现在 Shodan 等网站上(或者至少使数据变得无关紧要)。
我提出了以下 nftables 规则(省略了一些细节):
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid drop comment "early drop of invalid packets"
# ICMP (rate limit to prevent icmp flood)
ip protocol icmp ct state new limit rate 5/second counter accept comment "accept rate limited ICMP requests"
ip protocol icmp counter drop
# Accept already established/related connections
ct state {established, related} accept comment "accept all connections related to connections made by us"
# Log any failed inbound traffic attempt
log flags all prefix "FIREWALL REJECTED INPUT: " counter
# Send a random ICMP rejection type to confuse port scanners
numgen random mod 16 == 0 reject with icmp type 0
numgen random mod 16 == 0 reject with icmp type 1
numgen random mod 16 == 0 reject with icmp type 2
numgen random mod 16 == 0 reject with icmp type 3
numgen random mod 16 == 0 reject with icmp type 4
numgen random mod 16 == 0 reject with icmp type 5
numgen random mod 16 == 0 reject with icmp type 6
numgen random mod 16 == 0 reject with icmp type 7
numgen random mod 16 == 0 reject with icmp type 8
numgen random mod 16 == 0 reject with icmp type 9
numgen random mod 16 == 0 reject with icmp type 10
numgen random mod 16 == 0 reject with icmp type 11
numgen random mod 16 == 0 reject with icmp type 12
numgen random mod 16 == 0 reject with icmp type 13
numgen random mod 16 == 0 reject with icmp type 14
numgen random mod 16 == 0 reject with icmp type 15
}
它与 nmap 相比效果很好。nmap 输出中出现许多错误(“意外的 ICMP 类型/代码”),输出非常混乱,难以利用,并且整体扫描速度要慢得多。
但我想知道:
- 有一种更好的方法来编写随机拒绝部分,类似于
{0-15}(不起作用),而且我认为它将生成最多 16 个随机数,尽管我只需要一个。我尝试定义一个变量,但无法使其工作。 - 它会显著减慢我的机器速度(熵耗尽?)
- 这可能会对我网络上的其他机器造成问题(我正在考虑接收这些随机响应的多播协议)
- 您认为总体而言是值得的(比如说面向互联网的服务器)