server hardening "netfilter rule for better security" and fake daemon fingerprinting

server hardening "netfilter rule for better security" and fake daemon fingerprinting
yep this already an old knowledge that we already know since our past time, nowaday i just remember it again

=======
[root@ip-elite-1337.org conf]# nmap -A server_ip  -PN

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-03-23 20:30 MST
Interesting ports on ************
Not shown: 1659 closed ports
PORT     STATE    SERVICE      VERSION
25/tcp   filtered smtp
42/tcp   filtered nameserver
69/tcp   filtered tftp
80/tcp   open     http?
111/tcp  open rpcbind
135/tcp  filtered msrpc
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
161/tcp  filtered snmp
162/tcp  filtered snmptrap
445/tcp  filtered microsoft-ds
631/tcp  open     http?
835/tcp open     http?
1080/tcp filtered socks
1241/tcp filtered nessus
3128/tcp filtered squid-http
3306/tcp open mysql
6666/tcp filtered irc-serv
6667/tcp filtered irc
6668/tcp filtered irc
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port80-TCP:V=4.11%I=7%D=3/23%Time=4F6D3FE1%P=i686-redhat-linux-gnu%r(Ge
SF:tRequest,8F,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20nginx\r\nDate:\x20Sat
SF:,\x2024\x20Mar\x202012\x2002:29:17\x20GMT\r\nContent-Type:\x20text/html
SF:\r\nConnection:\x20close\r\nX-Powered-By:\x20PHP/5\.2\.8\r\n\r\ntes")%r
SF:(HTTPOptions,137,"HTTP/1\.1\x20405\x20Not\x20Allowed\r\nServer:\x20ngin
SF:x\r\nDate:\x20Sat,\x2024\x20Mar\x202012\x2002:29:17\x20GMT\r\nContent-T
SF:ype:\x20text/html\r\nContent-Length:\x20166\r\nConnection:\x20close\r\n
SF:\r\n<html>\r\n<head><title>405\x20Not\x20Allowed</title></head>\r\n<bod
SF:y\x20bgcolor=\"white\">\r\n<center><h1>405\x20Not\x20Allowed</h1></cent
SF:er>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n")%r(RTSPReq
SF:uest,A6,"<html>\r\n<head><title>400\x20Bad\x20Request</title></head>\r\
SF:n<body\x20bgcolor=\"white\">\r\n<center><h1>400\x20Bad\x20Request</h1><
SF:/center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n")%r(X1
SF:1Probe,A6,"<html>\r\n<head><title>400\x20Bad\x20Request</title></head>\
SF:r\n<body\x20bgcolor=\"white\">\r\n<center><h1>400\x20Bad\x20Request</h1
SF:></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n")%r(
SF:FourOhFourRequest,155,"HTTP/1\.1\x20500\x20Internal\x20Server\x20Error\
SF:r\nServer:\x20nginx\r\nDate:\x20Sat,\x2024\x20Mar\x202012\x2002:29:17\x
SF:20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\x20186\r\nConnec
SF:tion:\x20close\r\n\r\n<html>\r\n<head><title>500\x20Internal\x20Server\
SF:x20Error</title></head>\r\n<body\x20bgcolor=\"white\">\r\n<center><h1>5
SF:00\x20Internal\x20Server\x20Error</h1></center>\r\n<hr><center>nginx</c
SF:enter>\r\n</body>\r\n</html>\r\n")%r(RPCCheck,A6,"<html>\r\n<head><titl
SF:e>400\x20Bad\x20Request</title></head>\r\n<body\x20bgcolor=\"white\">\r
SF:\n<center><h1>400\x20Bad\x20Request</h1></center>\r\n<hr><center>nginx<
SF:/center>\r\n</body>\r\n</html>\r\n")%r(DNSVersionBindReq,A6,"<html>\r\n
SF:<head><title>400\x20Bad\x20Request</title></head>\r\n<body\x20bgcolor=\
SF:"white\">\r\n<center><h1>400\x20Bad\x20Request</h1></center>\r\n<hr><ce
SF:nter>nginx</center>\r\n</body>\r\n</html>\r\n")%r(DNSStatusRequest,A6,"
SF:<html>\r\n<head><title>400\x20Bad\x20Request</title></head>\r\n<body\x2
SF:0bgcolor=\"white\">\r\n<center><h1>400\x20Bad\x20Request</h1></center>\
SF:r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n");
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=3/23%Tm=4F6D3FF0%O=80%C=1)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)


Uptime 2.519 days (since Wed Mar 21 08:03:40 2012)

Nmap finished: 1 IP address (1 host up) scanned in 23.353 seconds
==========

since we dont need port  111,631,835, and 3306 (tcp) to be open from outsider we better filter it.

first of all check your interface, here we have eth0 and an alias of eth0 we have eth0:0 :

do this netfilter rule:
====
service iptables start
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 111 -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 631 -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 793 -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 793 -j DROP
service iptables save
====

than it's better now:
===
[root@h4x0r]# nmap -A server_ip  -PN

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-03-23 20:30 MST
Interesting ports on *********************88888
Not shown: 1659 closed ports
PORT     STATE    SERVICE      VERSION
25/tcp   filtered smtp
42/tcp   filtered nameserver
69/tcp   filtered tftp
80/tcp   open     http?
111/tcp  filtered rpcbind
135/tcp  filtered msrpc
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
161/tcp  filtered snmp
162/tcp  filtered snmptrap
445/tcp  filtered microsoft-ds
631/tcp  filtered ipp
835/tcp  filtered unknown
1080/tcp filtered socks
1241/tcp filtered nessus
3128/tcp filtered squid-http
3306/tcp filtered mysql
6666/tcp filtered irc-serv
6667/tcp filtered irc
6668/tcp filtered irc
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port80-TCP:V=4.11%I=7%D=3/23%Time=4F6D3FE1%P=i686-redhat-linux-gnu%r(Ge
SF:tRequest,8F,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20nginx\r\nDate:\x20Sat
SF:,\x2024\x20Mar\x202012\x2002:29:17\x20GMT\r\nContent-Type:\x20text/html
SF:\r\nConnection:\x20close\r\nX-Powered-By:\x20PHP/5\.2\.8\r\n\r\ntes")%r
SF:(HTTPOptions,137,"HTTP/1\.1\x20405\x20Not\x20Allowed\r\nServer:\x20ngin
SF:x\r\nDate:\x20Sat,\x2024\x20Mar\x202012\x2002:29:17\x20GMT\r\nContent-T
SF:ype:\x20text/html\r\nContent-Length:\x20166\r\nConnection:\x20close\r\n
SF:\r\n<html>\r\n<head><title>405\x20Not\x20Allowed</title></head>\r\n<bod
SF:y\x20bgcolor=\"white\">\r\n<center><h1>405\x20Not\x20Allowed</h1></cent
SF:er>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n")%r(RTSPReq
SF:uest,A6,"<html>\r\n<head><title>400\x20Bad\x20Request</title></head>\r\
SF:n<body\x20bgcolor=\"white\">\r\n<center><h1>400\x20Bad\x20Request</h1><
SF:/center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n")%r(X1
SF:1Probe,A6,"<html>\r\n<head><title>400\x20Bad\x20Request</title></head>\
SF:r\n<body\x20bgcolor=\"white\">\r\n<center><h1>400\x20Bad\x20Request</h1
SF:></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n")%r(
SF:FourOhFourRequest,155,"HTTP/1\.1\x20500\x20Internal\x20Server\x20Error\
SF:r\nServer:\x20nginx\r\nDate:\x20Sat,\x2024\x20Mar\x202012\x2002:29:17\x
SF:20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\x20186\r\nConnec
SF:tion:\x20close\r\n\r\n<html>\r\n<head><title>500\x20Internal\x20Server\
SF:x20Error</title></head>\r\n<body\x20bgcolor=\"white\">\r\n<center><h1>5
SF:00\x20Internal\x20Server\x20Error</h1></center>\r\n<hr><center>nginx</c
SF:enter>\r\n</body>\r\n</html>\r\n")%r(RPCCheck,A6,"<html>\r\n<head><titl
SF:e>400\x20Bad\x20Request</title></head>\r\n<body\x20bgcolor=\"white\">\r
SF:\n<center><h1>400\x20Bad\x20Request</h1></center>\r\n<hr><center>nginx<
SF:/center>\r\n</body>\r\n</html>\r\n")%r(DNSVersionBindReq,A6,"<html>\r\n
SF:<head><title>400\x20Bad\x20Request</title></head>\r\n<body\x20bgcolor=\
SF:"white\">\r\n<center><h1>400\x20Bad\x20Request</h1></center>\r\n<hr><ce
SF:nter>nginx</center>\r\n</body>\r\n</html>\r\n")%r(DNSStatusRequest,A6,"
SF:<html>\r\n<head><title>400\x20Bad\x20Request</title></head>\r\n<body\x2
SF:0bgcolor=\"white\">\r\n<center><h1>400\x20Bad\x20Request</h1></center>\
SF:r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n");
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=3/23%Tm=4F6D3FF0%O=80%C=1)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)


Uptime 2.519 days (since Wed Mar 21 08:03:40 2012)

Nmap finished: 1 IP address (1 host up) scanned in 23.353 seconds
==========


[fake finger printing]

based on above scan we may notice our server fingerprinting: nginx, php version,etc

basically on nmap scan we may disable httpd token for nginx by adding:
===
server_tokens off;
====

on nmap we still see some default nginx figerprint:

ex:
===
head><title>400\x20Bad\x20Request</title></head>\r\n<body\x20bgcolo
SF:r=\"white\">\r\n<center><h1>400\x20Bad\x20Request</h1></center>\r\n<hr>
SF:<center>nginx</center>\===

let's make a fake 404 status page, check your nginx.conf then you'll find out default 404,500,502,503 and 504 status:
======
error_page  404              /404.html;
    error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

=======

 let's make it simple:
=====
error_page  404 500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

====


as an example i use this :
=========
# cat 50x.html
<b>server punya acong</b>

=========

then restart your httpd, as an example here i use nginx:
====
[root@elite-box conf]# killall -9 nginx
[root@elite-box conf]# /usr/sbin/chroot /home/nginx /usr/local/nginx/sbin/nginx
====

agen bola euro 2012
http://ourbetting.com
http://zonabets.com
http://bursagen.com
http://pasangbet.com
http://royalbet77.org
agen bola sbobet euro2012