Hi, scanlogd will be activated when multiple data packets from one unique source are send to different ports of your Linux box in a short time. Many portscanners (like nmap for Linux) come with features to increase the amount of time between two port-probes so that some scanning detection facilities like scanlogd may not notice them. Check your scanner software you used for your tests, maybe you/it did single port probes, not a real scan, which is much harder to detect. scanlogd is a good detection tool to start with but I recommend using portsentry (http://www.psionic.com/abacus/portsentry/) which is not only much better in detecting even stealth scans (half-open, syn, christmas-tree, etc.) but also capable of "striking back" against the scanner, e. g. by dropping its route via ipchains. portsentry is also quite easy to configure and runs very smoothly on several of our Linux-based firewalls. Boris Lorenz <bolo@lupa.de> --- On 23-Jun-00 Timo Schulz wrote:
Hi list, a few days ago, I portscan from a windoze client "MY" linux-box. But when I look for a scanlogd message, I can't find someone. So I take a look at the /var/log/messages file. There I found out, that the firewall blocks all unused ports ( of course ). But the scanner try also the open ports, like mail, ssh, ftp or www. Why scanlogd don't remember this and add a portscan to the logfile ?
Thanks in advance.
[...]