[Fwd: port scanning]

The Wolf xanadu@speedchoice.com
Fri, 17 Mar 2000 20:45:27 -0700


This is a multi-part message in MIME format.
--------------2AEE25058D7D2CE65FBDC9BE
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

The Wolf wrote:

> Do you see anything like
>
> Mar 16 22:18:37 YourBox kernel: Packet log: input DENY eth0 PROTO=1
> 1.2.3.4:0 1.2.3.4:0 L=84 S=0x00 I=38756 F=0x4000 T=241 (#5)
>
> These would be your logging done by the kernel
>
> You have to specifie the -l option of firewall rules you want to track.
>
> Now I do not know if you are running some other scan detection besides
> the
> ones provided by the ipchains.
>
> If not you shoud consider logging any syn packets trying to hit your box
> on 0 - 1024 and 6000 - 6060
>
> The Wolf
>
> "der.hans" wrote:
>
> > On Fri, 17 Mar 2000, Furmanek, Greg wrote:
> >
> > > did you check /var/log/messages ??
> >
> > Yup. Same with syslog, auth.log and all the other logs.
> >
> > ciao,
> >
> > der.hans
> > --
> > # +++++++++++=================================+++++++++++ #
> > #  der.hans@LuftHans.com                  www.excelco.com #
> > #           http://home.pages.de/~lufthans/              #
> > #   I'm not anti-social, I'm pro-individual. - der.hans   #
> > # ===========+++++++++++++++++++++++++++++++++=========== #
> >
> > _______________________________________________
> > Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> --
> "The questions is not if we are paranoid,
> the question is if we are paranoid enough."

--
"The questions is not if we are paranoid,
the question is if we are paranoid enough."



--------------2AEE25058D7D2CE65FBDC9BE
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

X-Mozilla-Status2: 00000000
Message-ID: <38D2F9CE.3E7B9698@speedchoice.com>
Date: Fri, 17 Mar 2000 20:36:46 -0700
From: The Wolf <xanadu@speedchoice.com>
X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1mdklinus i586)
X-Accept-Language: en
MIME-Version: 1.0
To: plug-discuss@lists.PLUG.phoenix.az.us,
 	"der.hans" <PLUGd@LuftHans.com>
Subject: Re: port scanning
References: <Pine.LNX.4.21.0003171532040.14136-100000@gw-int.LuftHans.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Do you see anything like

Mar 16 22:18:37 YourBox kernel: Packet log: input DENY eth0 PROTO=1
1.2.3.4:0 1.2.3.4:0 L=84 S=0x00 I=38756 F=0x4000 T=241 (#5)


These would be your logging done by the kernel

You have to specifie the -l option of firewall rules you want to track.

Now I do not know if you are running some other scan detection besides
the
ones provided by the ipchains.

If not you shoud consider logging any syn packets trying to hit your box
on 0 - 1024 and 6000 - 6060


The Wolf


"der.hans" wrote:

> On Fri, 17 Mar 2000, Furmanek, Greg wrote:
>
> > did you check /var/log/messages ??
>
> Yup. Same with syslog, auth.log and all the other logs.
>
> ciao,
>
> der.hans
> --
> # +++++++++++=================================+++++++++++ #
> #  der.hans@LuftHans.com                  www.excelco.com #
> #           http://home.pages.de/~lufthans/              #
> #   I'm not anti-social, I'm pro-individual. - der.hans   #
> # ===========+++++++++++++++++++++++++++++++++=========== #
>
> _______________________________________________
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

--
"The questions is not if we are paranoid,
the question is if we are paranoid enough."




--------------2AEE25058D7D2CE65FBDC9BE--