AW: [suse-security] Possible Hack attack ?
Hi everybody, There has been alot of talk about portscans. What utility are you using to detect a portscan. Do I NEED a firewall before I can detect a portscan on the machine. Could someone please point me to utility / package to simply detect such a portscan and send a mail to me (the Network Admin). thanks, Stefan Becker LUFA Speyer becker@lufa-sp.vdlufa.de
Right. But, as as my log-files show, in many cases an attack follows the port scan.
I _always_ contact the gateway admin if I find a port scan, and, in some cases, they find out that somebody intruded in their systems.
So I think it is helpful to inform admins about port scans that come from their systems. It's one way to avoid attacks followed by port scans.
Regards,
Martin
On Tue, Nov 30, 1999 at 10:14:36AM -0600, alex medvedev wrote:
hi,
portsentry is good. you do not need a fw to run it.
Hi all, You can also try scanlogd, which comes with SuSE in the sec directory. It is used for detecting and logging portscans. tflat -- _________________________________________________________ James F. Wilkus http://www.xnot.com/editek Licq 10933411 geek by nature, linux by choice
I've had bad luck with scanlogd.. I just caught a portscan via ipchains logs, and scanlogd didnt catch anything. Also, it reports alot of 'fake' scans when I ftp to certain places.. At 12:07 PM 11/30/1999 -0500, James F Wilkus wrote:
On Tue, Nov 30, 1999 at 10:14:36AM -0600, alex medvedev wrote:
hi,
portsentry is good. you do not need a fw to run it.
Hi all, You can also try scanlogd, which comes with SuSE in the sec directory. It is used for detecting and logging portscans.
tflat
-- _________________________________________________________ James F. Wilkus http://www.xnot.com/editek Licq 10933411 geek by nature, linux by choice
I've had bad luck with scanlogd.. I just caught a portscan via ipchains logs, and scanlogd didnt catch anything. Also, it reports alot of 'fake' scans when I ftp to certain places..
scanlog is a very simple tool. It reports multiple connections comming from one host in a short time. If you have a DENY or REJECT packetfilter in front of it, the kernel doesn't process the packets any further of course, and scanlogd won't see them. If anybody is interested in: I wrote a first draft of a scanlogd manpage. Contact me via PM if interested in... What Do you think: would it be a good idea to add the functionality to run a script or program, if a portscan had been deteted? It seems to me that if would a nice possiblity to launch a script, that inserts a deny rule against the source of the scan. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hello Steffen, Tuesday, November 30, 1999, 10:31:14 PM, you wrote:
scanlog is a very simple tool. It reports multiple connections comming from one host in a short time. If you have a DENY or REJECT packetfilter in front of it, the kernel doesn't process the packets any further of course, and scanlogd won't see them.
That's it!
What Do you think: would it be a good idea to add the functionality to run a script or program, if a portscan had been deteted? It seems to me that if would a nice possiblity to launch a script, that inserts a deny rule against the source of the scan.
Why not combining portscand and logsurfer, both included on SuSE CDs. However, I didn't get the logsurfer.conf syntax ... Best regards, Peter Hinse wissenschaftliche Hilfskraft Sonderforschunsbereich 504 Universität Mannheim mailto: peter@sfb504.uni-mannheim.de
What Do you think: would it be a good idea to add the functionality to run a script or program, if a portscan had been deteted? It seems to me that if would a nice possiblity to launch a script, that inserts a deny rule against the source of the scan.
There is a program called Portsentry that does just that. http://www.psionic.com/abacus/portsentry/ Scott
Stefan Becker wrote:
Hi everybody, There has been alot of talk about portscans. What utility are you using to detect a portscan. Do I NEED a firewall before I can detect a portscan on the machine.
There is a packed named scanlogd in the sec series. Just installed it. Funny, there are no man pages, no discription in /usr/doc/packages. Someone any helpful pointers?? Juergen
Could someone please point me to utility / package to simply detect such a portscan and send a mail to me (the Network Admin).
thanks, Stefan Becker LUFA Speyer
becker@lufa-sp.vdlufa.de
Right. But, as as my log-files show, in many cases an attack follows the port scan.
I _always_ contact the gateway admin if I find a port scan, and, in some cases, they find out that somebody intruded in their systems.
So I think it is helpful to inform admins about port scans that come from their systems. It's one way to avoid attacks followed by port scans.
Regards,
Martin
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- =========================================== __ _ Juergen Braukmann juergen.braukmann@gmx.de| -o)/ / (_)__ __ ____ __ Tel: 0201-743648 dk4jb@db0qs.#nrw.deu.eu | /\\ /__/ / _ \/ // /\ \/ / ===========================================_\_v __/_/_//_/\_,_/ /_/\_\
participants (8)
-
alex medvedev -
Chrissy LeMaire -
James F Wilkus -
Juergen Braukmann -
Peter Hinse -
scott -
Stefan Becker -
Steffen Dettmer