port scanning

der.hans PLUGd@LuftHans.com
Mon, 20 Mar 2000 00:09:14 -0700 (MST)


On Fri, 17 Mar 2000, The Wolf wrote:

> Do you see anything like
> 
> Mar 16 22:18:37 YourBox kernel: Packet log: input DENY eth0 PROTO=1
> 1.2.3.4:0 1.2.3.4:0 L=84 S=0x00 I=38756 F=0x4000 T=241 (#5)

I wasn't when the packets weren't being allowed. I might've been during
the first scan, though.

> These would be your logging done by the kernel
> 
> You have to specifie the -l option of firewall rules you want to track.

Yup.

> Now I do not know if you are running some other scan detection besides
> the
> ones provided by the ipchains.

It's got to be something besides ipchains. ipchains isn't dynamic, so it
can't shut off someone doing a port scan. Not directly anyway. Well it's
probably actually possible, but I'm not getting near that intense with my
rules :). It's probably the kernel as I didn't see any other processes
that looked like they would be doing that. snort was running, but again
it's not directly proactive. Also I shut it down.

> If not you shoud consider logging any syn packets trying to hit your box
> on 0 - 1024 and 6000 - 6060

I think I'm doing that.

Once this works I want to see if ipchains interferes with apps like
tcpdump and ethereal...

ciao,

der.hans
-- 
# +++++++++++=================================+++++++++++ #
#  der.hans@LuftHans.com                  www.excelco.com #
#            http://home.pages.de/~lufthans/              #
#   I'm not anti-social, I'm pro-individual. - der.hans   #
# ===========+++++++++++++++++++++++++++++++++=========== #