port scanning
der.hans
PLUGd@LuftHans.com
Mon, 20 Mar 2000 00:09:14 -0700 (MST)
On Fri, 17 Mar 2000, The Wolf wrote:
> Do you see anything like
>
> Mar 16 22:18:37 YourBox kernel: Packet log: input DENY eth0 PROTO=1
> 1.2.3.4:0 1.2.3.4:0 L=84 S=0x00 I=38756 F=0x4000 T=241 (#5)
I wasn't when the packets weren't being allowed. I might've been during
the first scan, though.
> These would be your logging done by the kernel
>
> You have to specifie the -l option of firewall rules you want to track.
Yup.
> Now I do not know if you are running some other scan detection besides
> the
> ones provided by the ipchains.
It's got to be something besides ipchains. ipchains isn't dynamic, so it
can't shut off someone doing a port scan. Not directly anyway. Well it's
probably actually possible, but I'm not getting near that intense with my
rules :). It's probably the kernel as I didn't see any other processes
that looked like they would be doing that. snort was running, but again
it's not directly proactive. Also I shut it down.
> If not you shoud consider logging any syn packets trying to hit your box
> on 0 - 1024 and 6000 - 6060
I think I'm doing that.
Once this works I want to see if ipchains interferes with apps like
tcpdump and ethereal...
ciao,
der.hans
--
# +++++++++++=================================+++++++++++ #
# der.hans@LuftHans.com www.excelco.com #
# http://home.pages.de/~lufthans/ #
# I'm not anti-social, I'm pro-individual. - der.hans #
# ===========+++++++++++++++++++++++++++++++++=========== #