How make a port appear open with an nmap scan












-2














To avoid someone knowing which port are open on my machine, I thought it would useful to open all unused port so that the nmaper is unable to identify which port are really open.



How make a port appear open with an nmap scan






networking netcat nmap port







share|improve this question
























  • Something needs to open/listen to the port ; unix.stackexchange.com/a/270647/117549 is an example, but you seem instead to be asking how you could have something listening to ~65,000 ports, correct?
    – Jeff Schaller
    Dec 31 '18 at 11:54










  • Related question: unix.stackexchange.com/questions/399626/…
    – Rui F Ribeiro
    Dec 31 '18 at 12:08
















-2














To avoid someone knowing which port are open on my machine, I thought it would useful to open all unused port so that the nmaper is unable to identify which port are really open.



How make a port appear open with an nmap scan






networking netcat nmap port







share|improve this question
























  • Something needs to open/listen to the port ; unix.stackexchange.com/a/270647/117549 is an example, but you seem instead to be asking how you could have something listening to ~65,000 ports, correct?
    – Jeff Schaller
    Dec 31 '18 at 11:54










  • Related question: unix.stackexchange.com/questions/399626/…
    – Rui F Ribeiro
    Dec 31 '18 at 12:08














-2












-2








-2


1





To avoid someone knowing which port are open on my machine, I thought it would useful to open all unused port so that the nmaper is unable to identify which port are really open.



How make a port appear open with an nmap scan






networking netcat nmap port







share|improve this question















To avoid someone knowing which port are open on my machine, I thought it would useful to open all unused port so that the nmaper is unable to identify which port are really open.



How make a port appear open with an nmap scan






networking netcat nmap port




networking netcat nmap port






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 5 at 13:18







user123456

















asked Dec 31 '18 at 9:52









user123456user123456

1,49921535




1,49921535












  • Something needs to open/listen to the port ; unix.stackexchange.com/a/270647/117549 is an example, but you seem instead to be asking how you could have something listening to ~65,000 ports, correct?
    – Jeff Schaller
    Dec 31 '18 at 11:54










  • Related question: unix.stackexchange.com/questions/399626/…
    – Rui F Ribeiro
    Dec 31 '18 at 12:08


















  • Something needs to open/listen to the port ; unix.stackexchange.com/a/270647/117549 is an example, but you seem instead to be asking how you could have something listening to ~65,000 ports, correct?
    – Jeff Schaller
    Dec 31 '18 at 11:54










  • Related question: unix.stackexchange.com/questions/399626/…
    – Rui F Ribeiro
    Dec 31 '18 at 12:08
















Something needs to open/listen to the port ; unix.stackexchange.com/a/270647/117549 is an example, but you seem instead to be asking how you could have something listening to ~65,000 ports, correct?
– Jeff Schaller
Dec 31 '18 at 11:54




Something needs to open/listen to the port ; unix.stackexchange.com/a/270647/117549 is an example, but you seem instead to be asking how you could have something listening to ~65,000 ports, correct?
– Jeff Schaller
Dec 31 '18 at 11:54












Related question: unix.stackexchange.com/questions/399626/…
– Rui F Ribeiro
Dec 31 '18 at 12:08




Related question: unix.stackexchange.com/questions/399626/…
– Rui F Ribeiro
Dec 31 '18 at 12:08










2 Answers
2






active

oldest

votes


















1














You have got labrea for people scanning your network IP addresses, have not tested it for a good while now.




labrea - Honeypot for incoming IP connection attempts



labrea creates virtual machines for unused IP addresses in the
specified block of IP addresses. LaBrea sits and listens for ARP
"who-has" requests.



When an ARP request for a particular IP goes unanswered for longer
than its "rate" setting (default: 3 seconds), labrea crafts an ARP
reply that routes all traffic destined for the IP to a "bogus" MAC
address. labrea sniffs for TCP/IP traffic sent to that MAC address and
then responds to any SYN packet with a SYN/ACK packet that it creates.




To install it in Debian, do:



sudo apt-get install labrea


As for answering in some designated common ports, and providing alerts, you have got psad, though as far as I remembered it was not about listening all ports.



You can always run honeypots, though I have not tested them for a good while.



Nevertheless, and entering the realm of my opinion, I prefer to drop all connections to unused ports, the less services that are exposed to the outside, the less avenues for attacks.






share|improve this answer























  • Off topic, further references: "TCP/IP Illustrated, vol I - the protocols", 2nd edition, Stevens et al;
    – Rui F Ribeiro
    Dec 31 '18 at 12:14



















0














On Linux, you can use iptables's socket match to have iptables know if a TCP port is in use. Combined with the xtables-addons's TARPIT target (also using LaBrea's concepts) this can make look open any unused TCP port automatically, while leaving actual open ports working as usual. For UDP there's probably not much difference between an open port not answering and a dropped port so I'm not talking about it anymore (just drop udp by default).



Rules:



iptables -N openclosed

iptables -A openclosed -p tcp -m socket --nowildcard -j RETURN

iptables -A openclosed -p tcp -j TARPIT --honeypot

iptables -I INPUT -j openclosed


Caveats: every connection makes a conntrack entry used by netfilter. This solution can thus make a lot of conntrack ressources become used. Bear this in mind when the system is receiving an attack rather than a scan. While TARPIT can be used without netfilter (using NOTRACK), I'm not sure socket can, and anyway this can't be kept as simple as above. Adding the --honeypot option to TARPIT makes it cheaper for the scan if not sending data, but also for netfilter; feel free to remove it. Also --nowildcard might or might not be suitable for router usage (but it's ok anyway for a local usage in the INPUT chain).






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f491729%2fhow-make-a-port-appear-open-with-an-nmap-scan%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    You have got labrea for people scanning your network IP addresses, have not tested it for a good while now.




    labrea - Honeypot for incoming IP connection attempts



    labrea creates virtual machines for unused IP addresses in the
    specified block of IP addresses. LaBrea sits and listens for ARP
    "who-has" requests.



    When an ARP request for a particular IP goes unanswered for longer
    than its "rate" setting (default: 3 seconds), labrea crafts an ARP
    reply that routes all traffic destined for the IP to a "bogus" MAC
    address. labrea sniffs for TCP/IP traffic sent to that MAC address and
    then responds to any SYN packet with a SYN/ACK packet that it creates.




    To install it in Debian, do:



    sudo apt-get install labrea


    As for answering in some designated common ports, and providing alerts, you have got psad, though as far as I remembered it was not about listening all ports.



    You can always run honeypots, though I have not tested them for a good while.



    Nevertheless, and entering the realm of my opinion, I prefer to drop all connections to unused ports, the less services that are exposed to the outside, the less avenues for attacks.






    share|improve this answer























    • Off topic, further references: "TCP/IP Illustrated, vol I - the protocols", 2nd edition, Stevens et al;
      – Rui F Ribeiro
      Dec 31 '18 at 12:14
















    1














    You have got labrea for people scanning your network IP addresses, have not tested it for a good while now.




    labrea - Honeypot for incoming IP connection attempts



    labrea creates virtual machines for unused IP addresses in the
    specified block of IP addresses. LaBrea sits and listens for ARP
    "who-has" requests.



    When an ARP request for a particular IP goes unanswered for longer
    than its "rate" setting (default: 3 seconds), labrea crafts an ARP
    reply that routes all traffic destined for the IP to a "bogus" MAC
    address. labrea sniffs for TCP/IP traffic sent to that MAC address and
    then responds to any SYN packet with a SYN/ACK packet that it creates.




    To install it in Debian, do:



    sudo apt-get install labrea


    As for answering in some designated common ports, and providing alerts, you have got psad, though as far as I remembered it was not about listening all ports.



    You can always run honeypots, though I have not tested them for a good while.



    Nevertheless, and entering the realm of my opinion, I prefer to drop all connections to unused ports, the less services that are exposed to the outside, the less avenues for attacks.






    share|improve this answer























    • Off topic, further references: "TCP/IP Illustrated, vol I - the protocols", 2nd edition, Stevens et al;
      – Rui F Ribeiro
      Dec 31 '18 at 12:14














    1












    1








    1






    You have got labrea for people scanning your network IP addresses, have not tested it for a good while now.




    labrea - Honeypot for incoming IP connection attempts



    labrea creates virtual machines for unused IP addresses in the
    specified block of IP addresses. LaBrea sits and listens for ARP
    "who-has" requests.



    When an ARP request for a particular IP goes unanswered for longer
    than its "rate" setting (default: 3 seconds), labrea crafts an ARP
    reply that routes all traffic destined for the IP to a "bogus" MAC
    address. labrea sniffs for TCP/IP traffic sent to that MAC address and
    then responds to any SYN packet with a SYN/ACK packet that it creates.




    To install it in Debian, do:



    sudo apt-get install labrea


    As for answering in some designated common ports, and providing alerts, you have got psad, though as far as I remembered it was not about listening all ports.



    You can always run honeypots, though I have not tested them for a good while.



    Nevertheless, and entering the realm of my opinion, I prefer to drop all connections to unused ports, the less services that are exposed to the outside, the less avenues for attacks.






    share|improve this answer














    You have got labrea for people scanning your network IP addresses, have not tested it for a good while now.




    labrea - Honeypot for incoming IP connection attempts



    labrea creates virtual machines for unused IP addresses in the
    specified block of IP addresses. LaBrea sits and listens for ARP
    "who-has" requests.



    When an ARP request for a particular IP goes unanswered for longer
    than its "rate" setting (default: 3 seconds), labrea crafts an ARP
    reply that routes all traffic destined for the IP to a "bogus" MAC
    address. labrea sniffs for TCP/IP traffic sent to that MAC address and
    then responds to any SYN packet with a SYN/ACK packet that it creates.




    To install it in Debian, do:



    sudo apt-get install labrea


    As for answering in some designated common ports, and providing alerts, you have got psad, though as far as I remembered it was not about listening all ports.



    You can always run honeypots, though I have not tested them for a good while.



    Nevertheless, and entering the realm of my opinion, I prefer to drop all connections to unused ports, the less services that are exposed to the outside, the less avenues for attacks.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Dec 31 '18 at 13:54

























    answered Dec 31 '18 at 12:00









    Rui F RibeiroRui F Ribeiro

    39.4k1479131




    39.4k1479131












    • Off topic, further references: "TCP/IP Illustrated, vol I - the protocols", 2nd edition, Stevens et al;
      – Rui F Ribeiro
      Dec 31 '18 at 12:14


















    • Off topic, further references: "TCP/IP Illustrated, vol I - the protocols", 2nd edition, Stevens et al;
      – Rui F Ribeiro
      Dec 31 '18 at 12:14
















    Off topic, further references: "TCP/IP Illustrated, vol I - the protocols", 2nd edition, Stevens et al;
    – Rui F Ribeiro
    Dec 31 '18 at 12:14




    Off topic, further references: "TCP/IP Illustrated, vol I - the protocols", 2nd edition, Stevens et al;
    – Rui F Ribeiro
    Dec 31 '18 at 12:14













    0














    On Linux, you can use iptables's socket match to have iptables know if a TCP port is in use. Combined with the xtables-addons's TARPIT target (also using LaBrea's concepts) this can make look open any unused TCP port automatically, while leaving actual open ports working as usual. For UDP there's probably not much difference between an open port not answering and a dropped port so I'm not talking about it anymore (just drop udp by default).



    Rules:



    iptables -N openclosed
    
iptables -A openclosed -p tcp -m socket --nowildcard -j RETURN
    
iptables -A openclosed -p tcp -j TARPIT --honeypot
    
iptables -I INPUT -j openclosed


    Caveats: every connection makes a conntrack entry used by netfilter. This solution can thus make a lot of conntrack ressources become used. Bear this in mind when the system is receiving an attack rather than a scan. While TARPIT can be used without netfilter (using NOTRACK), I'm not sure socket can, and anyway this can't be kept as simple as above. Adding the --honeypot option to TARPIT makes it cheaper for the scan if not sending data, but also for netfilter; feel free to remove it. Also --nowildcard might or might not be suitable for router usage (but it's ok anyway for a local usage in the INPUT chain).






    share|improve this answer


























      0














      On Linux, you can use iptables's socket match to have iptables know if a TCP port is in use. Combined with the xtables-addons's TARPIT target (also using LaBrea's concepts) this can make look open any unused TCP port automatically, while leaving actual open ports working as usual. For UDP there's probably not much difference between an open port not answering and a dropped port so I'm not talking about it anymore (just drop udp by default).



      Rules:



      iptables -N openclosed
      
iptables -A openclosed -p tcp -m socket --nowildcard -j RETURN
      
iptables -A openclosed -p tcp -j TARPIT --honeypot
      
iptables -I INPUT -j openclosed


      Caveats: every connection makes a conntrack entry used by netfilter. This solution can thus make a lot of conntrack ressources become used. Bear this in mind when the system is receiving an attack rather than a scan. While TARPIT can be used without netfilter (using NOTRACK), I'm not sure socket can, and anyway this can't be kept as simple as above. Adding the --honeypot option to TARPIT makes it cheaper for the scan if not sending data, but also for netfilter; feel free to remove it. Also --nowildcard might or might not be suitable for router usage (but it's ok anyway for a local usage in the INPUT chain).






      share|improve this answer
























        0












        0








        0






        On Linux, you can use iptables's socket match to have iptables know if a TCP port is in use. Combined with the xtables-addons's TARPIT target (also using LaBrea's concepts) this can make look open any unused TCP port automatically, while leaving actual open ports working as usual. For UDP there's probably not much difference between an open port not answering and a dropped port so I'm not talking about it anymore (just drop udp by default).



        Rules:



        iptables -N openclosed
        
iptables -A openclosed -p tcp -m socket --nowildcard -j RETURN
        
iptables -A openclosed -p tcp -j TARPIT --honeypot
        
iptables -I INPUT -j openclosed


        Caveats: every connection makes a conntrack entry used by netfilter. This solution can thus make a lot of conntrack ressources become used. Bear this in mind when the system is receiving an attack rather than a scan. While TARPIT can be used without netfilter (using NOTRACK), I'm not sure socket can, and anyway this can't be kept as simple as above. Adding the --honeypot option to TARPIT makes it cheaper for the scan if not sending data, but also for netfilter; feel free to remove it. Also --nowildcard might or might not be suitable for router usage (but it's ok anyway for a local usage in the INPUT chain).






        share|improve this answer












        On Linux, you can use iptables's socket match to have iptables know if a TCP port is in use. Combined with the xtables-addons's TARPIT target (also using LaBrea's concepts) this can make look open any unused TCP port automatically, while leaving actual open ports working as usual. For UDP there's probably not much difference between an open port not answering and a dropped port so I'm not talking about it anymore (just drop udp by default).



        Rules:



        iptables -N openclosed
        
iptables -A openclosed -p tcp -m socket --nowildcard -j RETURN
        
iptables -A openclosed -p tcp -j TARPIT --honeypot
        
iptables -I INPUT -j openclosed


        Caveats: every connection makes a conntrack entry used by netfilter. This solution can thus make a lot of conntrack ressources become used. Bear this in mind when the system is receiving an attack rather than a scan. While TARPIT can be used without netfilter (using NOTRACK), I'm not sure socket can, and anyway this can't be kept as simple as above. Adding the --honeypot option to TARPIT makes it cheaper for the scan if not sending data, but also for netfilter; feel free to remove it. Also --nowildcard might or might not be suitable for router usage (but it's ok anyway for a local usage in the INPUT chain).







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 3 at 20:18









        A.BA.B

        4,0921724




        4,0921724






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f491729%2fhow-make-a-port-appear-open-with-an-nmap-scan%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Morgemoulin

            Image
            Morgemoulin — miejscowość i gmina — Państwo   Francja Region Grand Est Departament Moza Okręg Verdun Kod INSEE 55357 Powierzchnia 6,82 km² Populacja  (1990) • liczba ludności 75 • gęstość 11 os./km² Kod pocztowy 55400 Położenie na mapie Francji Morgemoulin 49°14′N   5°35′E / 49,233333   5,583333 Portal Francja Morgemoulin – miejscowość i gmina we Francji, w regionie Grand Est, w departamencie Moza. Według danych na rok 1990 gminę zamieszkiwało 75 osób, a gęstość zaludnienia wynosiła 11 osób/km² (wśród 2335 gmin Lotaryngii Morgemoulin plasuje się na 970. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 848.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Verdun Abaucourt-Hautecourt • Aincreville • Ambly-sur-Meuse • Amel-sur-l'Étang • Ancemont • Arrancy-sur-Crusne • Aubréville • Autré...
            Read more

            Scott Moir

            Image
            Scott Moir Tessa Virtue i Scott Moir w 2016 r. Reprezentacja   Kanada Data i miejsce urodzenia 2 września 1987 London Wzrost 180 cm Konkurencja Pary taneczne Partner sportowy Tessa Virtue Trener Marie-France Dubreuil, Patrice Lauzon, Romain Haguenauer Poprzednio: Marina Zujewa, Oleg Epstein, Igor Szpilband, Johnny Johns, Carol Moir, Paul MacIntosh, Suzanne Killing Klub Montreal International School of Skating Poprzednio: Arctic Edge FSC Ilderton Skating Club Lokalizacja treningowa Montreal Poprzednio: Canton Kitchener Rekordy życiowe ISU przed sezonem 2018/2019 Nota łączna 206,07 Igrzyska Olimpijskie 2018 Taniec krótki 83,67 Igrzyska Olimpijskie 2018 Taniec dowolny 122,40 Igrzyska Olimpijskie 2018 Dorobek medalowy Reprezentacja   Kanada Igrzyska olimpijskie Złoto Vancouver 2010 pary taneczne Złoto Pjongczang 2018 pary taneczne Złoto Pjongczang 2018 drużynowo Srebro S...
            Read more

            Souastre

            Image
            Souastre — miejscowość i gmina — Herb Państwo   Francja Region Hauts-de-France Departament Pas-de-Calais Okręg Arras Kod INSEE 62800 Powierzchnia 7,18 km² Populacja  (1990) • liczba ludności 352 • gęstość 49 os./km² Kod pocztowy 62111 Położenie na mapie Francji Souastre 50°09′N   2°34′E / 50,150000   2,566667 Portal Francja Souastre – miejscowość i gmina we Francji, w regionie Hauts-de-France, w departamencie Pas-de-Calais. Według danych na rok 1990 gminę zamieszkiwały 352 osoby, a gęstość zaludnienia wynosiła 49 osób/km² (wśród 1549 gmin regionu Nord-Pas-de-Calais Souastre plasuje się na 887. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 507.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Arras Ablain-Saint-Nazaire Ablainzevelle Acheville Achicourt Achiet-le-Grand Achiet-le-Pe...
            Read more