[aashikan]

hi all,
im using redhat 7.2 kernel 2.4.18).
i configured IPPersonality to prevent OS finger printing, (IPPERS configured to show like windows machine), it fools NMAP and all active finger printing tools, but when i used ettercap in passive finger printing mode it will correctly identifies the right linux version.
can any of u plz tell me how to prevent OS passive finger printing, it's urgent
Regds
Venkatesh

[Whiteskin]

www.icir.org/tbit/

I'm not sure, but I also think that tossing the box behind a nat firewall would do the trick, however, I'm not sure what that would do to your routing.

Why, specificly, do you need to block fingerprinting?

[aashikan]

Quote:

Originally Posted by Whiteskin

www.icir.org/tbit/

I'm not sure, but I also think that tossing the box behind a nat firewall would do the trick, however, I'm not sure what that would do to your routing.

Why, specificly, do you need to block fingerprinting?

-----------------------------------------------------------------------------------------------------------
Thanks a lot for u reply,
actually i develop one software to protect webserver, i.e i have to place the software machine in between webserver & internet, i.e the software machine is transparent to the internet, and if any finger printing tools applied to that will only show the server details not the software machine details,
that's y im asking to fake passive finger printing tools to find , if u have any idea plz send me , it's urgently
Once again thanks a lot

[Whiteskin]

You could try usermode linux. Then, route everything thing through the UML kernel. This way you can run a diffent kernel than the currently booted one, fooling the sniffer. How this would work, i'm not sure. But I'm not a networking guru.

[Squashman]

Here is a little article I got from Tech Republic.

Quote:

INCREASE WEB SERVER SECURITY VIA OBSCURITY

In many organizations, Web server security starts with hardening the operating system (OS) and usually ends with creating a firewall rule or an access list on a router. However, the security profile for your Web server shouldn't end there.

Public Web servers are usually the weakest point in the security perimeter. You should take every step possible to maximize security on this public asset. Obscuring your Web server's identity by disguising and removing identifying details is a sound security principle. You can protect your Web server from hackers by changing your header information, renaming Web file extensions, and customizing error messages.

STOP HEADER BROADCASTING

By default, your Web server broadcasts the OS and the type/version information about the Web application that's serving the Web pages. This

information isn't necessary to the clients that visit your Web site, but

hackers and crackers can find it very useful. So change your Web server's banner or header information.

On UNIX platforms running Apache Web servers, you can use the mod_headers module to configure your Web header to say just about anything you like. If your organization uses a Microsoft platform, install IIS LockDown and use the configuration options under the URLScan's .ini file for replacing the header. When using these tools, be aware that they can possibly corrupt scripting platforms such as ColdFusion, ASP, and PHP.

I'd recommend checking out a product such as ServerMask from Port80 Software. ServerMask can safely remove or modify a variety of information and add minutes to multiple pages or sites on a single server without corrupting the scripting engines that deliver your content. This step could decoy an attacker into running the wrong attack scripts, which will generate multiple log entries and increase your probability of detecting an attack.

STOP FILE EXTENSION BROADCASTING

Web page extensions can also reveal the type of server you're running. File extensions like .asp or .aspx give away an IIS-powered Web server. Change the application mapping and rename your Web pages to .web. Decide on an extension naming standard and change the application mapping for that

new extension.

For Apache servers, use the mod_negotitation module to stop broadcasting

file extensions. When using mod_negotiation to remove file extensions from your Web pages, remember that you'll also need to use the mod_headers module to suppress the Content Location Header.

CHANGE ERROR BROADCASTING

Error messages also tend to indicate specific Web platforms. Create custom error messages for the most common Web error messages (e. g., 404 and
403) to further disguise your Web server and the OS on which it's running.

FINAL THOUGHTS

Disguising your Web server won't make your site invulnerable to attacks or stop the ubercracker, but it'll definitely frustrate the efforts of less experienced script kiddies. And while obscurity doesn't take the place of a properly patched and configured server, it does enable you to reduce your target signature and force an attacker to move on to easier prey.

Don't give hackers and crackers valuable information about your servers.

Security through obscurity isn't a new concept, but it's another valuable tool in your security toolbox.

Mike Mullins has served as a database administrator and assistant network administrator for the U. S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.