time to live - Security

pressy · #1 (**permalink**) 06-20-2005

i wondering about the ttl for the sshd on solaris 9 ... i read that you can change it to a different value to fool some OS "fingerprinting" tools such as queso or nmap. the default value is 255, i've tried to set it to 155 and 55 but nmap still see that port 22 is opend. do you know something about that?

Code:

root@xxx # uname -a
SunOS xxx 5.9 Generic_118558-06 sun4u sparc SUNW,Ultra-1
root@xxx # ndd -get /dev/ip ip_def_ttl
255
root@xxx # ndd -set /dev/ip ip_def_ttl 55
root@xxx # ndd -get /dev/ip ip_def_ttl
55
BUT still:
pressytest@gentoo ~ # nmap -v 192.168.133.122

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-20 19:48 MEST
Initiating SYN Stealth Scan against 192.168.133.122 [1663 ports] at 19:48
Discovered open port 22/tcp on 192.168.133.122
Increasing send delay for 192.168.133.122 from 0 to 5 due to 18 out of 58 dropped probes since last increase.
Increasing send delay for 192.168.133.122 from 5 to 10 due to max_successful_tryno increase to 4
Increasing send delay for 192.168.133.122 from 10 to 20 due to max_successful_tryno increase to 5
The SYN Stealth Scan took 44.66s to scan 1663 total ports.
Host 192.168.133.122 appears to be up ... good.
Interesting ports on 192.168.133.122:
(The 1662 ports scanned but not shown below are in state: closed)
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 08:00:20:xx:xx:xx (SUN Microsystems)

Nmap finished: 1 IP address (1 host up) scanned in 44.997 seconds
               Raw packets sent: 1984 (79.3KB) | Rcvd: 1664 (76.5KB)
pressytest@gentoo ~ #

??? what would be a good value to prevent "easy&fast" remote portscanners to see it and make it "invisible"?

greetings PRESSY