grsecurity and nmap os deteciton

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

grsecurity and nmap os deteciton

Postby andy00 » Fri Apr 16, 2004 2:53 pm

i have a 2.6.4 kernel with grsecurity

if "echo 1 > /proc/...grsecurity/rand_ip_id"
then nmap will say that is a grsecurity kernel with 1000HZ patch

if "echo 0 > /proc/...grsecurity/rand_ip_id"
then nmap will not detect that it is a grsec kernel


also if "echo 0 > /proc/../tcp_timestamps"
then nmap will also detect a grsec kernel

and this option is exactly to stop os fingerprint and uptime detection!
andy00
 
Posts: 2
Joined: Fri Apr 16, 2004 2:45 pm

Postby fwiffo » Fri Apr 23, 2004 8:17 am

In fact it will stop OS and uptime detection (not in all cases btw), but won't stop detecting that this is a grsec kernel, since those listed are things done only by this patch in a specific way :)
Of course there are other ways to stop even this and other detections, and one that I've read recently was pretty good...
IMHO a sysadmin should carefully look at all the specific things that those programs are looking at, for OS/Various checks, and change what is needed accordingly, to completely fool them, even the services should be modified, since another step to indentify a machine is of course by the daemons that the machine is running...If one does such modification only on one machine, and can mask things pretty good, I hardly believe that one can guess what you're running, but it's still not impossible, one have only to do better research.

In conclusion (IMHO), there isn't an universal way to fool those programs, since even in the best case, something is left behind that will unmask the identity of the machine.....If not today, tomorrow, but someone will find the difference, at least until something better will appear, but I can't discuss of anything that will do or will be done, since I'm not an hacker nor an experienced programmer/sysadmin ;)

P.S.: If I find the url or remember it (relative to fingerprinting fooling) I will post it, in any case, I wish you good luck, and a good research, since this is an intriguing argument! :P
fwiffo
 
Posts: 10
Joined: Fri Mar 12, 2004 6:50 pm


Return to grsecurity support