How can I make it so no one can find out my OS version when a network scan is done? Also how can I hide the BIND DNS version I am using? I am using NETMAX linux (on redhat 6.2)

Active fingerprinting tools like Nmap, Hunt and Queso rely on differences in TCP/IP stack (tcp 3-way handshake reaction, initial/return payload, byte-order, system settings) to come up with a fingerprint. Then there's also passive fingeprinting (manually or with tools like Siphon) based on system settings like TTL, window size, TOS and DF flags (theres more like icmp payload, sequence/ip ident numbers. etc etc tho).

Some behaviour can be changed by patching the kernel, some by echoing a value into /proc/sys/net/* keys. The TOS bits can be set tru fi ipchains. For more I think u really should read Fyodor's Phrack article and nmap docs, Kernel$(version)/Documentation/ip-sysctl, else look for docs by Vision, Dug Song or Spitz.

So at least 20+ params can be set from /proc to customize behaviour. Theres a few patches around to help thwart recognition: Fpf or Finger Print Fu***r (dunno if its LKM or kernel patch, never used it), then theres something (LKM?) against tracerouting, at least one setting from Solar Designers Openwall kernel patch and Sytek's kernel patch.


Just try proc & patch customizing out, but remember this is "security by obscurity", not a true solution, and if someone effectively scans for banners it's of no use anyway (IIS5 on Linux, yeah right).

Bout Netmax I dont know, but in BIND u would set up an ACL on the CHAOS zone named "bind". If its hardcoded itll require rebuilding. Look for printf'ed {BASE_}VERSION strings in the *.{c,h} code.

HTH somehow.

*(doh! I forgot to mention the obvious... firewalling helps thwart OS recon also...)

Have a look at http://www.linuxquestions.org/questi...ht=fingerprint if you can access a port of a machine then you can pretty much fingerprint it - if you block all the ports then you don't have a problem, but then again you also don't have any available network services - not much use if you want to run a web server etc...

As for hiding the version of Bind you are using - do you just want to stop people from access it? If this is the case then you can just firewall the port, if you want people to be able to access it but now know the version the you probably want to hack the source code so it doesn't reply with the version, or replys with an incorrect version. But as mentioned hiding possible holes isn't a very good way to go about security!

HTH

Jamie...

Security is not the issues. In the building I work in has a problem with using Linux. And even though I know it's secure when they do Nmap scans etc and see the linux or they run hydra and it comes up with the bind version they freak out. I could use UNIX (Even though it's no more secure) So I want to hind the bind version that comes back on the scan and the os version..

In BIND 8 or 9's /etc/named.conf:
:-]