And tweak Apache to lie for you too. ErrorDocument is there for a reason ;-) You'll need to hack Apache to make it lie about it's ServerTokens, and expose_php is another to add to the mix.
I've managed to get netcraft _really_ confused. Of course none of these is any real _protection_, but just like a firewall, they may buy you more time to notice you're under attack. Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Tel. 07855 805 271 http://www.devitto.com mailto:[EMAIL PROTECTED] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Where do you want to go today? Same as every day.... Windows Update. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of A. Wright Sent: Friday, February 06, 2004 9:41 PM To: [EMAIL PROTECTED] Subject: Re: Prevent passive fingerprinting > > is there any option for pf to prevent passive os fingerprinting for > > the clients behind an obsd nat-box? > > Use 'module state' option on your 'pass out' rule to randomize TCP ISN > generation and options 'reassemble tcp timeout modulation', 'random-id' > in your 'scrub' rule. I've found that this does very little in the way of preventing OS fingerprinting. It does stop outsiders from guessing your uptime, but that's about it. From what I can tell, most OS fingerprinting is based on the window size, ttl, SYN packet size, etc. p0f is very educational if you want to learn about it, especially the p0f.fp file (http://lcamtuf.coredump.cx/p0f.shtml). Setting min-ttl, or max-mss can help, but p0f usually can still guess correctly using fuzzy matching. I've found it much more effective to change some kernel variables. Below are some I've found useful on my FreeBSD systems: net.inet.ip.ttl net.inet.tcp.rfc1323 One of these makes more of a difference than the other, can't remember which: net.inet.tcp.recvspace net.inet.tcp.sendspace Here is a patch I've found to give you some control over TOS: http://lists.freebsd.org/pipermail/freebsd-hackers/2003-May/001078.html Just remember that if you're going to all this trouble to disguise your OS, don't leave your OpenSSH banner on, like I did! :-) Aaron
