Scan detection ?
This is a discussion on Scan detection ? within the Linux Security forums, part of the System Security and Security Related category; Greetings, I run a red hat linux box with sshd, ftp, http ports open to the world. Sometimes, people try ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-13-2004
|
|||
|
|||
Scan detection ?
Greetings,
I run a red hat linux box with sshd, ftp, http ports open to the world. Sometimes, people try to log on the ftp server with anonymous in the hope of finding a warez maybe ? I try to keep those service up to date. Everything is logged in /var/log/messages. I did a little script which does a cat /var/log/messages|grep "$dateOfTheDay" | grep "ftp" cat /var/log/messages|grep "$dateOfTheDay" | grep "ssh" cat /var/log/messages|grep "$dateOfTheDay" | grep "http" and which mail me the result (not on the root account but on the user account I use everyday). Question n°1 : Is it a good idea or a waste of time and how could it be bettered ? Question n°2 : my iptables script is under construction (I got one of course but not yet complete, might consider downloading one rather than make one :) ) but how could I log a portscan of my system ? I suppose I could look for "SYN" packets on different ports followed by nothing but : - seems a very crude way of doing this - Tools must have been made already :) question : what is your advice regarding a Scan detector with logging ? many thx for you advice and your time :) 
|
|
01-13-2004
|
|||
|
|||
|
Re: Scan detection ?
charly wrote:
<snip> > > question : what is your advice regarding a Scan detector with logging ? > > many thx for you advice and your time :) > net-analyzer/portsentry Latest version available: 1.1-r7 Latest version installed: 1.1-r7 Size of downloaded files: 44 kB Homepage: http://sourceforge.net/projects/sentrytools/ Description: Automated port scan detector and response tool
|
|
01-13-2004
|
|||
|
|||
|
Re: Scan detection ?
DarkSamurai wrote:
> charly wrote: > <snip> > >> >> question : what is your advice regarding a Scan detector with logging ? >> >> many thx for you advice and your time :) >> > > net-analyzer/portsentry > Latest version available: 1.1-r7 > Latest version installed: 1.1-r7 > Size of downloaded files: 44 kB > Homepage: http://sourceforge.net/projects/sentrytools/ > Description: Automated port scan detector and response tool > thank you for the link, I'll check it out.
|
|
01-14-2004
|
|||
|
|||
|
Re: Scan detection ?
charly wrote:
> Greetings, > > I run a red hat linux box with sshd, ftp, http ports open to the world. > > Sometimes, people try to log on the ftp server with anonymous in the > hope of finding a warez maybe ? > I try to keep those service up to date. > > Everything is logged in /var/log/messages. > I did a little script which does > a > cat /var/log/messages|grep "$dateOfTheDay" | grep "ftp" > cat /var/log/messages|grep "$dateOfTheDay" | grep "ssh" > cat /var/log/messages|grep "$dateOfTheDay" | grep "http" > > and which mail me the result (not on the root account but on the user > account I use everyday). > > Question n°1 : > Is it a good idea or a waste of time and how could it be bettered ? Uh, use IPTables. If you have to, download someone else's script. > > Question n°2 : > my iptables script is under construction (I got one of course but not > yet complete, might consider downloading one rather than make one :) ) > but how could I log a portscan of my system ? http://www.netfilter.org/documentati...O-3.html#ss3.2 # Drop ALL attempted port scans: iptables -A INPUT -m psd -j DROP > I suppose I could look for "SYN" packets on different ports followed by > nothing but : > - seems a very crude way of doing this > - Tools must have been made already :) > > question : what is your advice regarding a Scan detector with logging ? > > many thx for you advice and your time :) -- I have never been one to sacrifice my appetite on the altar of appearance. -- A.M. Readyhough
|
|
01-14-2004
|
|||
|
|||
|
Re: Scan detection ?
Also consider looking at PortSentry. This has worked well for me to detect
port scans on my Fedora Core 1 box (formally RedHat 9) & my Yellow Dog Linux 3.0 box. -- James turajbNOSPAM@hoflink.com (Remove NOSPAM When Emailing) "charly" <spam@yahoo.fr> wrote in message news:40040f12$0$17134$626a54ce@news.free.fr... > Greetings, > > I run a red hat linux box with sshd, ftp, http ports open to the world. > > Sometimes, people try to log on the ftp server with anonymous in the > hope of finding a warez maybe ? > I try to keep those service up to date. > > Everything is logged in /var/log/messages. > I did a little script which does > a > cat /var/log/messages|grep "$dateOfTheDay" | grep "ftp" > cat /var/log/messages|grep "$dateOfTheDay" | grep "ssh" > cat /var/log/messages|grep "$dateOfTheDay" | grep "http" > > and which mail me the result (not on the root account but on the user > account I use everyday). > > Question n°1 : > Is it a good idea or a waste of time and how could it be bettered ? > > Question n°2 : > my iptables script is under construction (I got one of course but not > yet complete, might consider downloading one rather than make one :) ) > but how could I log a portscan of my system ? > I suppose I could look for "SYN" packets on different ports followed by > nothing but : > - seems a very crude way of doing this > - Tools must have been made already :) > > question : what is your advice regarding a Scan detector with logging ? > > many thx for you advice and your time :) >
|
Linear Mode
