port scanning

The Wolf xanadu@speedchoice.com
Fri, 17 Mar 2000 20:36:46 -0700


Do you see anything like

Mar 16 22:18:37 YourBox kernel: Packet log: input DENY eth0 PROTO=1
1.2.3.4:0 1.2.3.4:0 L=84 S=0x00 I=38756 F=0x4000 T=241 (#5)


These would be your logging done by the kernel

You have to specifie the -l option of firewall rules you want to track.

Now I do not know if you are running some other scan detection besides
the
ones provided by the ipchains.

If not you shoud consider logging any syn packets trying to hit your box
on 0 - 1024 and 6000 - 6060


The Wolf


"der.hans" wrote:

> On Fri, 17 Mar 2000, Furmanek, Greg wrote:
>
> > did you check /var/log/messages ??
>
> Yup. Same with syslog, auth.log and all the other logs.
>
> ciao,
>
> der.hans
> --
> # +++++++++++=================================+++++++++++ #
> #  der.hans@LuftHans.com                  www.excelco.com #
> #           http://home.pages.de/~lufthans/              #
> #   I'm not anti-social, I'm pro-individual. - der.hans   #
> # ===========+++++++++++++++++++++++++++++++++=========== #
>
> _______________________________________________
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

--
"The questions is not if we are paranoid,
the question is if we are paranoid enough."