I forgot a few pretty cool iptables modules that I meant to mention. Here they are.
This module does passive OS fingerprinting. In other words, it watches packets as they come by, and uses quirks in the packet structure to determine what type of OS is at the other end of the connection, without doing any sort of probing. Even down to the level of being able to determine the service-pack that is installed. So, for example, you could cause systems without the latest service-pack to be redirected to a captive portal which would allow them to update to the latest errata.
There is a "pof" stand-alone program that you can run on an interface to watch the traffic coming through and display information about the detected OS on the remote end.
Port scan detection. Run a rule if you detect that a remote system is port-scanning you. This could be handy if people start moving their SSH ports to non-standard ports and attackers then start port-scanning for them.comments powered by Disqus