Is it possible to prevent nmap
from observing my machine entirely? After dropping all incoming connections with iptables
port scans return as "filtered". It'd prefer if nmap couldn't see what ports existed at all. Is this possible?
The below solutions don't seem to work:
https://dangertux.wordpress.com/2011/09/18/defeating-port-scans-using-iptables/
http://prithak.blogspot.de/2011/12/blocking-nmap-scans-with-pf-and.html
If it's not possible to keep nmap from seeing my device, would it be possible to rate-limit so that nmap takes a REALLY long time to fully scan my IP?
Best Answer
Simple rate limit is not enough because nmap increases scan delay when it hits rate limit. Here is what you can do best with iptables.
First create ipset lists
And iptables rules
How this works:
Here we store scanned ports in scanned_ports set and we only count newly scanned ports on our hashlimit rule. If a scanner send packets to 5 different port(see --hashlimit-burst 5) that means it is a probably scanner so we will add it to port_scanners set.
Timeout of port_scanners is the block time of scanners(10 minutes in that example). It will start counting from beginning (see --exist) till attacker stop scan for 10 seconds (see --hashlimit-htable-expire 10000)
You can set these parameters to most proper values for you.
Be aware of that someone can make any IP blocked by just make scan as spoofing. I suggest you don't set block timeout too long.
Addition:
If you want to add a whitelist, create a whitelisted list
and change drop rule with that