Hi,
scanlogd will be activated when multiple data packets from one unique source
are send to different ports of your Linux box in a short time. Many
portscanners (like nmap for Linux) come with features to increase the amount of
time between two port-probes so that some scanning detection facilities like
scanlogd may not notice them. Check your scanner software you used for your
tests, maybe you/it did single port probes, not a real scan, which is much
harder to detect.
scanlogd is a good detection tool to start with but I recommend using
portsentry (http://www.psionic.com/abacus/portsentry/) which is not only much
better in detecting even stealth scans (half-open, syn, christmas-tree, etc.)
but also capable of "striking back" against the scanner, e. g. by dropping its
route via ipchains.
portsentry is also quite easy to configure and runs very smoothly on several of
our Linux-based firewalls.
Boris Lorenz
Hi list, a few days ago, I portscan from a windoze client "MY" linux-box. But when I look for a scanlogd message, I can't find someone. So I take a look at the /var/log/messages file. There I found out, that the firewall blocks all unused ports ( of course ). But the scanner try also the open ports, like mail, ssh, ftp or www. Why scanlogd don't remember this and add a portscan to the logfile ?
Thanks in advance.
[...]