One way to do this with OpenBSD is to use Sealing Wafter.
Goals of Sealing Wafter:
- To reduce OS detection based on well known fingerprints network stack behavior.
- To have the ability to load custom rules into the stack.
- To unload, modify, reload the kernel module with on the fly rules. (great feature at packet parties)
- To learn how the magic of tcpip stacks work.
What Sealing Wafter currently provides:
- Hide from Nmap Syn/Xmas/Null scans, as well as the specific fingerprinting packets.
- Ability to see what your stack is receiving without the need to drop your network device into promisc mode.
- Complete control over rules that you can load on the fly todeal with specific incoming packets.
- Initial support for several OS passive detection has been added for SYNs.
Weaknesses in current Sealing Wafter:
- Full connection scans. e.g. nmap -sT will still find open ports. this is because I have yet to find anything that seperates a real tcp connection vs an nmap full connection. (most likely isn’t one.)
- Can be very verbose when under heavy load. I have run this on my heaviest web servers, and have not noticed any major overhead.
Download the c code for the LKM here: Sealing Wafter
