Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
RE: [suse-security] Portscans
  • From: Paul Kincaid <Paul.Kincaid@xxxxxxxxxxxxx>
  • Date: Tue, 2 May 2000 09:43:06 -0400
  • Message-id: <EB4212FD4915D411911100104B1006DF578F36@xxxxxxxxxxxxxxxxxxx>
I realize this thread is a week old, but one package that no one talked
about was Portsentry. It does not come bundled with SuSE, but its free out
there -- just check http://www.freshmeat.net.

I run both scanlogd and portsentry, and portsentry gets the most use. Most
scans these days on the internet are to one port. I.e. a script kiddie will
scan a whole subnet for one particular port being open. That will not get
picked up by scanlog.

As for scanlogd and being the specific target of someone - I have had great
success with scanlog picking up the scans. Yes, there are some false
positives, but not that many.

I'm not going to get into the legal ramifications of port scanning
someone... But I usually just contact the admin of the site if its obvious
that it could be a compromised system (i.e. you usually don't get scanned
from ns2.somewhere.com to port 23...) Also, if I get scanned, you are
automatically dropped into a "reject" route in my routing table. If I see
multiple attempts from the same site, I'll contact the ISP. Unfortunately
as someone else said, its something that we'll probably just have to live
with. Lock down your systems, keep up with the security threads, actively
monitor your logs and you'll be fine.

Just some of my thoughts...

Paul Kincaid

-----Original Message-----
From: Timo Schulz [mailto:twoaday@xxxxxx]
Sent: Wednesday, April 26, 2000 9:07 AM
To: SuSE Security
Subject: [suse-security] Portscans



Hi list,
I have a few questions about the detection of port scanning.
In the IX 5/May 2000 magazin (German), the author writes that
he uses nmap to scan a well used web site.

First I want to know if the victim can easily detect the scan
and how to prevent such scans.

Does SuSE 6.x contain any tools to do that ?

PS: I ask me, if it is legal to do portscans on any sites ?

--
Two-a-Day at joesixpack.net www.freenet.de/joesixpack keyid BF3DF9B4



---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx

< Previous Next >