[PLUG] nmap, curiosity, and courtesy

Steve Bonds 1s7k8uhcd001 at sneakemail.com
Fri Sep 17 11:15:03 PDT 2004

On Fri, 17 Sep 2004 07:34:48 -0700, Keith Lofstrom wrote:

> I can run nmap against the offending machines, and find out more about
> them, but this seems impolite (Mom said "two wrongs do not make a
> right"),  and possibly a source of trouble.  What are the opinions here?

You might try one of the "passive" OS fingerprinting tools that do not
send packets to the remote system.  This is less accurate, but
probably good enough for your purposes.

For more info:
  * http://www.google.com/search?q=passive+os+fingerprinting
  * http://lcamtuf.coredump.cx/p0f.shtml

With regard to SSH, in addition to the usual local packet filtering
options, it's helpful to use the AllowUsers option in sshd_config as a
second layer of defense.  Most home systems only need to allow SSH
connections from a limited subset of hosts (e.g. work, other home
systems, etc.) so this added layer can be helpful.

Opinions vary, but most of the security professionals I've spoken with
think that for home users with few (if any) legal resources the best
thing to do is simply drop the traffic.  They even say that if you're
successfully hacked the best thing to do is reinstall, secure the
holes they used (if known) and move on with your life.  A quick note
to abuse at their-isp-if-known may be appropriate.

  -- Steve

More information about the PLUG mailing list