Hi list, I have a few questions about the detection of port scanning. In the IX 5/May 2000 magazin (German), the author writes that he uses nmap to scan a well used web site. First I want to know if the victim can easily detect the scan and how to prevent such scans. Does SuSE 6.x contain any tools to do that ? PS: I ask me, if it is legal to do portscans on any sites ? -- Two-a-Day at joesixpack.net www.freenet.de/joesixpack keyid BF3DF9B4
On Wed, 26 Apr 2000, Timo Schulz wrote:
Hi list,
Hi Timo,
I have a few questions about the detection of port scanning. In the IX 5/May 2000 magazin (German), the author writes that he uses nmap to scan a well used web site.
First I want to know if the victim can easily detect the scan and how to prevent such scans.
Yes the victim can detect such scans(see below).
Does SuSE 6.x contain any tools to do that ?
Yes, the package scanlogd i guess it's in series "sec".
PS: I ask me, if it is legal to do portscans on any sites ?
Just ask your self, what would you think if somebody scans your host(s)/net(s). So better don't do such things. M Werner
Yes the victim can detect such scans(see below).
Not in every case :-(
Does SuSE 6.x contain any tools to do that ?
Yes, the package scanlogd i guess it's in series "sec".
As far as I know scanlogd is a relatively simple program that doesn't help much. I've never seen a scanlogd warning (on our own server, of course) when trying nmap scans. And there were quite a few postings on this list that reported false scanlogd alarms (during normal FTP sessions etc.). scanlogd logs a warning if there are many simple connects to a range of ports with ascending numbers (I believe) in a certain time frame. But nmap is a *really* powerful scanner that can do many different types of scans which aren't easy to detect. And if you scan a range of port numbers using nmap nmap is clever enough to try the ports in a random order...
PS: I ask me, if it is legal to do portscans on any sites ?
Just ask your self, what would you think if somebody scans your host(s)/net(s).
Well, I'm not sure if a scan legally is considered an attack, but security aware admins *do* consider it at least a kind of attack.
So better don't do such things.
Exactly. Jan Hildebrandt -- jan.hildebrandt@mathema.de MATHEMA Software GmbH (http://www.mathema.de) Nägelsbachstraße 25a D-91052 Erlangen, Germany Tel: (+49)9131/8903-0 Fax: (+49)9131/8903-55
On 26 Jan 2052, at 28:120, Jan Hildebrandt wrote:
Well, I'm not sure if a scan legally is considered an attack, but security aware admins *do* consider it at least a kind of attack.
Hi, that depends, here in Austria we have currently no such judgements, but if compared to the real world, I assume, that if you do not have a good reason to do a portscan, it was defenitely illegal, likewise, if a burglar is catched while trying to find a weak point at a door with his tools, this is treated as an attempt to break into the house and he will be sentenced like he was caught after successful breaking into that house. Allthough other lawsystems require the break in to be successful to sentence. On the other hand, it is known, that e.g. cable-tv companies that provide ISP services that do not allow servers to be run by their customers, do portscans to find out, whether some of their customers have such services in action. mike
Hello, I think, that portscans (real portscans without SYN-Flooding, Zero-Byte, X-Mas or somehing like this packages) are like looking around, to see who is there... If you've left an unused or critical port world-open, it's your risk. To scan for open ports without trying to intrude or disturb the remote machine - I really see no illegal use. It's perhaps a little bit paranoid to report a normal portscan as an attempt to attack your mashine? Sorry, worse english - I just can read it better... Oliver Grube --------------------------------------------- --IT-Secure - Mit Sicherheit gute Lösungen.-- --------------------------------------------- Security Support * oliver.grube@it-secure.de +49 2161 6897-180 * http://www.it-secure.de
On 26 Apr 2000, at 18:10, Oliver Grube wrote:
If you've left an unused or critical port world-open, it's your risk. To scan for open ports without trying to intrude or disturb the remote machine - I really see no illegal use.
It's perhaps a little bit paranoid to report a normal portscan as an attempt to attack your mashine?
Hi, I think this gets off topic. How would you feel if someone examined your homes entrance door for possible weaknesses? mike
Dear Mike, The thing is that rules and laws are different in all countries. In some countries you have to really protect your property. There is basically no protection from the police. In other countries you can just leave the door open without being robed. But as the internet is something global, it basically means that you have to protect your property yourself, how bad it may sound. Regulations from for instance for the US may apply also to Europe but will it also apply for Libya, Iran, China and other countries? Regards, Joop Boonen. Thomas Michael Wanka wrote:
On 26 Apr 2000, at 18:10, Oliver Grube wrote:
If you've left an unused or critical port world-open, it's your risk. To scan for open ports without trying to intrude or disturb the remote machine - I really see no illegal use.
It's perhaps a little bit paranoid to report a normal portscan as an attempt to attack your mashine?
Hi,
I think this gets off topic. How would you feel if someone examined your homes entrance door for possible weaknesses?
mike
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* Jan Hildebrandt wrote on Wed, Apr 26, 2000 at 13:37 +0000:
Yes the victim can detect such scans(see below).
Not in every case :-(
That means AFIAK: there's no technical possiblity for a solution. You could do a very "slow" scan (i.e. a single port a day) which wouldn't be detected by a IDS system, since you would get lot's of false positives.
Yes, the package scanlogd i guess it's in series "sec".
As far as I know scanlogd is a relatively simple program that doesn't help much.
I got some helpful hints already.
I've never seen a scanlogd warning (on our own server, of course) when trying nmap scans.
Maybe you're useing a firewall that blocks that scans? Which default behaivior (compile-time configuration) scanlogd looks on packets to the host only. You may compile it useing libpcap and enable the promiscuous mode, and install scanlogd on a "own" machine which is not running a firewall. It's not simple to configure scanlogd to match _your_ requirements of course.
And there were quite a few postings on this list that reported false scanlogd alarms (during normal FTP sessions etc.).
It's a "good" practise to use FTP data port as source for TCP scans. The onliest possibility is to watch the FTP logins. But this would open your system for "FTP-bounce scans" (AFAIK), you wouldn't detect them. So I prefer false positives ;)
scanlogd logs a warning if there are many simple connects to a range of ports with ascending numbers (I believe) in a certain time frame.
scanlogd doesn't care about the port numbers, the must be different only.
But nmap is a *really* powerful scanner that can do many different types of scans which aren't easy to detect. And if you scan a range of port numbers using nmap nmap is clever enough to try the ports in a random order...
... and scanlogd detects them. Random-order scans are usually not FTP look-a-likes. It might be a topic to think about, to improve scanlogd to log non-acending port conntects in a different manner. I made a patch which causes scanlogd to log scans against privileged ports (<1024) differently (another message + higher log level). Useing this FTP transfers and scans against high ports only still look similar, but at least syslog points out if there were scans against privileged ports. (patch can be found if interested: http://sws.dett.de/patches/) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Does SuSE 6.x contain any tools to do that ?
Yes, the package scanlogd i guess it's in series "sec".
Scanlogd works fine in most cases, but if you want your system to take actions against portscanners I prefer Portsentry. It's available at http://www.psionic.com In it's defaults rules it opens a lot of fake ports and it puts the attackers ipadres in /etc/hosts.deny. I prefer not to open to much ports. You can also make weird routes to the attackers ip address so he won't be able to communicate with your computer anymore. And there are much more options you can configure yourselve. Take a look at there site if you would like to no more about the program. Good documentation is on there site, but is also is shipped with the program. Regards, S.G. Zijl
Hi Timo, On Wed, 26 Apr 2000, Timo Schulz wrote:
Hi list, I have a few questions about the detection of port scanning. In the IX 5/May 2000 magazin (German), the author writes that he uses nmap to scan a well used web site.
First I want to know if the victim can easily detect the scan and how to prevent such scans.
Does SuSE 6.x contain any tools to do that ?
Sure, scanlogd. I use another tool which is not part of SuSE6.x: the iplogger from debian, which gives more information about connection attempts and portscans. Get it on every debian mirror, it is called iplogger.deb. It works fine with SuSE6.x ... jops, Christoph
PS: I ask me, if it is legal to do portscans on any sites ?
-- Two-a-Day at joesixpack.net www.freenet.de/joesixpack keyid BF3DF9B4
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi,
Does SuSE 6.x contain any tools to do that ?
scanlogd
PS: I ask me, if it is legal to do portscans on any sites ?
it's at least legal in germany. but the admins of the scanned site may get angry about you... Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
On Wed, 26 Apr 2000, Thomas Biege wrote:
Hi,
Does SuSE 6.x contain any tools to do that ?
scanlogd
PS: I ask me, if it is legal to do portscans on any sites ?
it's at least legal in germany. but the admins of the scanned site may get angry about you...
I'm sure laws vary in different places, but it's probably not illegal in most places unless someone actually breaks in. However, it's probably against almost any ISP's Acceptable Use Policy for one of their clients to be portscanning other machines and networks. We've had good success having disciplinary action (i.e. account disabling) taken against portscanning offenders by reporting the incidents to their upstream providers. The problem is that it happens so frequently on the sites I administer that it takes too much time to track down and report each case. It seems that it's an unfortunate part of life on the Internet these days; the best thing is to make sure all your systems are fully patched and as hardened as possible so nobody can take it further than probing for weaknesses. John Ritchie Oregon University System
Hi,
PS: I ask me, if it is legal to do portscans on any sites ?
it's at least legal in germany. but the admins of the scanned site may get angry about you...
I'm sure laws vary in different places, but it's probably not illegal in most places unless someone actually breaks in. However, it's probably against almost any ISP's Acceptable Use Policy for one of their clients to be portscanning other machines and networks. We've had good success having disciplinary action (i.e. account disabling) taken against
I really dislike this policy. If I don't like somebody on IRC I just have to do a SYN scan w/ the ip src address of the guy I didn't like to disable his account. I think port scanning is an annoying thing of the new internet we have to live with...
portscanning offenders by reporting the incidents to their upstream providers. The problem is that it happens so frequently on the sites I administer that it takes too much time to track down and report each case. It seems that it's an unfortunate part of life on the Internet these days; the best thing is to make sure all your systems are fully patched and as hardened as possible so nobody can take it further than probing for weaknesses.
yepp. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
On Wed, 26 Apr 2000, Thomas Biege wrote:
Hi,
PS: I ask me, if it is legal to do portscans on any sites ?
it's at least legal in germany. but the admins of the scanned site may get angry about you...
I'm sure laws vary in different places, but it's probably not illegal in most places unless someone actually breaks in. However, it's probably against almost any ISP's Acceptable Use Policy for one of their clients to be portscanning other machines and networks. We've had good success having disciplinary action (i.e. account disabling) taken against
I really dislike this policy. If I don't like somebody on IRC I just have to do a SYN scan w/ the ip src address of the guy I didn't like to disable his account. I think port scanning is an annoying thing of the new internet we have to live with...
portscanning offenders by reporting the incidents to their upstream providers. The problem is that it happens so frequently on the sites I administer that it takes too much time to track down and report each case. It seems that it's an unfortunate part of life on the Internet these days; the best thing is to make sure all your systems are fully patched and as hardened as possible so nobody can take it further than probing for weaknesses.
yepp.
Reading Thomas' email I realize I mis-spoke. I would have to say that it's probably an overreaction to report a mere _portscan_ with no further evidence of malicious attack, and I wouldn't do that either (aside from the impossibility of following up on each and every one). However, if there is evidence of breakin attempts that accompany the portscan (things like webserver logs that show exploit attempts and so forth), as there often are, I think that's sufficient grounds to pursue the matter with an originating ISP. There's the issue of source IP spoofing that is a tough one to address, but that's kind of beside the point in my opinion; if your site's being attacked and that's the information you have available then that's what you use to try and solve the problem. In real life I've only ever pursued the matter when I see repeated actual breakin attempts from the same place over the course of days. Another reason to not get too excited about simple portscans is that an increasing number of GUI applications (read: Windows 9x, etc.) will have portscanning functionality built into them with the typical informative message attached to it. "Find out more about your network... sure, why not? Click." In other words, they're not really malicious, just uninformed that clicking the "find out about your network" button may be construed as hostile by the other members of the network. John Ritchie
On Wed, 26 Apr 2000, John Ritchie wrote:
On Wed, 26 Apr 2000, Thomas Biege wrote:
providers. The problem is that it happens so frequently on the sites I administer that it takes too much time to track down and report each case. It seems that it's an unfortunate part of life on the Internet these days;
There might be a second reason to report things. If you look at the various attacks that happened awhile back [yahoo etc] they mostly came from machines that had been broken into. It isn't too much of a leap to figure sooner or latter the people being attacked will seek damages not from the crackers but from the people who let their machines be used for the attack. If you know of probes and don't report them [at the very least] I'd bet a lawyer would use that to show you were at least partly responsible. I'm not saying they will win damages but you know somebody will sue sooner or later. If a too hot cup of coffee is worth money how much is crashing Yahoo worth? Nick -- Nick Zentena "The Linux issue," Wladawsky-Berger explained, "is whether this is a fundamentally disruptive technology, like the microprocessor and the Internet? We're betting that it is."
participants (12)
-
Christoph Schaefer
-
Jan Hildebrandt
-
John Ritchie
-
Joop Boonen
-
Markus Werner
-
Nick Zentena
-
Oliver Grube
-
S.G. Zijl
-
Steffen Dettmer
-
Thomas Biege
-
Thomas Michael Wanka
-
Timo Schulz