This patch is for Linux 2.4.18. It hacks in a sysctl'able option to send a SYN/ACK back during a reset (IPV4 only). This should irritate those who scan for open ports. This breaks RFC, so your mileage may vary. A special hello to all things w00w00. - 4/11/2002 usage: patch -p0 < linux-2.4.18-resetopen.patch - dmess0r a.k.a. Evan Brewer - diff -urN linux-2.4.18.orig/Documentation/Configure.help linux/Documentation/Configure.help --- linux-2.4.18.orig/Documentation/Configure.help Mon Feb 25 11:37:51 2002 +++ linux/Documentation/Configure.help Sat Mar 23 02:46:09 2002 @@ -24382,6 +24382,13 @@ information: http://www.candelatech.com/~greear/vlan.html If unsure, you can safely say 'N'. +All TCP ports appear open +CONFIG_NET_IPV4_SEND_RESET_OPEN + This option will enable the sending of SYN/ACK bits as part of the + TCP reset response to sending a SYN to a closed port. Effectively, this + option will confuse port scanners into thinking all ports scanned, + (regardless of their actual state) are open. IPV4 only at the moment. + # # A couple of things I keep forgetting: # capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet, diff -urN linux-2.4.18.orig/arch/i386/config.in linux/arch/i386/config.in --- linux-2.4.18.orig/arch/i386/config.in Mon Feb 25 11:37:52 2002 +++ linux/arch/i386/config.in Sat Mar 23 02:15:23 2002 @@ -425,3 +425,6 @@ fi endmenu + +# dmess0r +source security/Config.in diff -urN linux-2.4.18.orig/include/linux/sysctl.h linux/include/linux/sysctl.h --- linux-2.4.18.orig/include/linux/sysctl.h Fri Mar 15 23:29:46 2002 +++ linux/include/linux/sysctl.h Sat Mar 23 01:40:17 2002 @@ -289,7 +289,12 @@ NET_TCP_ADV_WIN_SCALE=87, NET_IPV4_NONLOCAL_BIND=88, NET_IPV4_ICMP_RATELIMIT=89, +#ifdef CONFIG_NET_IPV4_SEND_RESET_OPEN + NET_IPV4_ICMP_RATEMASK=90, + NET_IPV4_SEND_RESET_OPEN=91 /* dmess0r */ +#else NET_IPV4_ICMP_RATEMASK=90 +#endif }; enum { diff -urN linux-2.4.18.orig/net/ipv4/sysctl_net_ipv4.c linux/net/ipv4/sysctl_net_ipv4.c --- linux-2.4.18.orig/net/ipv4/sysctl_net_ipv4.c Tue Oct 30 15:08:12 2001 +++ linux/net/ipv4/sysctl_net_ipv4.c Sat Mar 23 01:45:24 2002 @@ -45,6 +45,11 @@ extern int inet_peer_gc_mintime; extern int inet_peer_gc_maxtime; +#ifdef CONFIG_NET_IPV4_SEND_RESET_OPEN +/* From tcp_input.c, dmess0r */ +extern int sysctl_tcp_v4_send_reset_open; +#endif + #ifdef CONFIG_SYSCTL static int tcp_retr1_max = 255; static int ip_local_port_range_min[] = { 1, 1 }; @@ -219,6 +224,12 @@ &sysctl_icmp_ratelimit, sizeof(int), 0644, NULL, &proc_dointvec}, {NET_IPV4_ICMP_RATEMASK, "icmp_ratemask", &sysctl_icmp_ratemask, sizeof(int), 0644, NULL, &proc_dointvec}, +#ifdef CONFIG_NET_IPV4_SEND_RESET_OPEN + /* dmess0r */ + {NET_IPV4_SEND_RESET_OPEN, "tcp_v4_send_reset_open", + &sysctl_tcp_v4_send_reset_open, sizeof(int), 0640, NULL, + &proc_dointvec}, +#endif {0} }; diff -urN linux-2.4.18.orig/net/ipv4/tcp_ipv4.c linux/net/ipv4/tcp_ipv4.c --- linux-2.4.18.orig/net/ipv4/tcp_ipv4.c Mon Feb 25 11:38:14 2002 +++ linux/net/ipv4/tcp_ipv4.c Sat Mar 23 01:47:12 2002 @@ -65,6 +65,8 @@ extern int sysctl_ip_dynaddr; +int sysctl_tcp_v4_send_reset_open; + /* Check TCP sequence numbers in ICMP packets. */ #define ICMP_MIN_LENGTH 8 @@ -1059,6 +1061,17 @@ rth.ack = 1; rth.ack_seq = htonl(ntohl(th->seq) + th->syn + th->fin + skb->len - (th->doff<<2)); +#ifdef CONFIG_NET_IPV4_SEND_RESET_OPEN + /* sysctl'able assailant irritation, dmess0r */ + if(sysctl_tcp_v4_send_reset_open) { + rth.ack = 1; + rth.rst = 0; + rth.syn = 1; + + if(th->fin) + rth.fin = 1; + } +#endif } memset(&arg, 0, sizeof arg); diff -urN linux-2.4.18.orig/security/Config.in linux/security/Config.in --- linux-2.4.18.orig/security/Config.in Wed Dec 31 16:00:00 1969 +++ linux/security/Config.in Sat Mar 23 02:38:52 2002 @@ -0,0 +1,10 @@ +# +# Security configuration, dmess0r +# +mainmenu_option next_comment +comment 'Security' + +if [ "$CONFIG_SYSCTL" != "n" ]; then + bool ' All TCP ports appear open' CONFIG_NET_IPV4_SEND_RESET_OPEN +fi +endmenu