Who's Scanning My Box? 17
saurus asks: "A fellow *nix person says I probably get scanned everyday. I say, "No way -- I'd know!" Uhm, actually, if I sat on my box all day running sniffit+netstat+iptraf I might. Could you share a low maintenance monitoring [Open Source] solution ? How would it fare against stealth probes?
"
watching them watching me. (Score:1)
Re:watching them watching me. (Score:1)
firewall + logging (Score:1)
Setup your firewall to log all packets it denies (or log all packets period). This creates a possible DOS atttack, however. Then write a perl script that parses the log file and produces reports based on src ip or whatever you want to group by.
Firewalling (Score:2)
However, There are a whole ton of ports I never ever use, including telnet, and many others. I have my firewall set to leave these packets alone, BUT TELL ME WHEN IT GETS THEM. This means a scanner doesent know he's been seen, and I get my daily security mailing with any losers who are portscanning me. Then I just toss 'em in
For those running a FreeBSD box that's reasonably recent, here's the commands I use on my 3.2-RELEASE machine
in
$fwcmd add allow log tcp from any to $ip 23
Change allow to deny depending on your policy ( mine's a fairly insecure default allow ) and tcp/udp and ports as needed. I log 4 tcp ports and only 1 udp port, which I should probably fix.
"Binaries may die but source code lives forever"
-- Unknown
SkyHawk
Andrew Fremantle
Re:Firewalling (Score:1)
So noone can access your server/network. You may have to drill some holes in the high port range for FTP, though...
Log all failures - and you have all "sniffing" attempts logged. It is that simple...
Portsentry + Logcheck (Score:2)
Portsentry + logcheck availible at www.psionic.com will probably fit most of your needs. Portsentry checks for people scanning your computer in a myriad of ways and logcheck mails you when something goes wrong.
Now for the bad news, the licence isn't the best. It appears to be free to use (commercial or private) and while the source could is distributed and you can modifiy it you can not distribute those modifications. The worst aspect may be the words "Some of the software at this site is PATENT PENDING."
I've used these programs for several months now and been satisfied but if someone knows of a similar program with a nicer licence please let us all know.
Nabbing the scanners (Score:1)
to a specified interface. A fine lump of software.
Scanlogd. It's simple. (Score:2)
Get the source here. Yes, it really is just one C file. [wtower.com]
-A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
Listen and Tease (Score:2)
Sample output: (Score:2)
Aug 17 05:21:45 tettie-gw scanlogd: From 209.30.64.27 to 167.206.46.15 ports 12345, 30100, 20034, 1243, 55555, 54321, 6670, 1257, 30303,
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
Included in SuSE (Score:2)
I haven't been portscanned in over a month, I don't get portscanned very often. The last time I was portscanned, the little fscker tried to ADMmountd me.
He failed, of course. I also reported him to his ISP (cable provider in Georgia). I couldn't find their AUP, but my provider (RoadRunner in Newfoundland) responds to that stuff with a termination of service, as I told his ISP. I'm guessing (based on much experience) that he's using daddy's computer and cable modem. Daddys don't appreciate their punk kids getting their service terminated (lost email address).
Usually they give up after the ADMmountd fails, because anything else requires you to actually learn something.
As for portscans themselves, they're not as dangerous as people might think. The article where scanlogd was first posted explains all that (I forget where I read it, though). Just because someone portscans doesn't mean they're a script-kiddy. Nmap is a great tool to find out if a certain port that should be open is, in fact open. I used it to find out what ports are filtered by RoadRunner (web, ftp, X (I have to use VNC instead), SMTP (damn)). It can also be used by an ISP as an impromptu way of finding out what percentages of their users are running what OS.
Snort+tcp wrappers (Score:1)
Re:Syslog bad. Netlink good. (Score:1)
You should always do some sanity checking first, if you are planning to take automated checking.
Also, I believe you can tell tcpdump to read
Syslog bad. Netlink good. (Score:2)
In 2.2/2.3 kernels, just turn on CONFIG_IP_FIREWALL_NETLINK and CONFIG_NETLINK. Then recompile and reboot and all of that
The basic idea is to throw the headers from rejected crap at the netlink. So stick "-o 128" on the ipchains lines that deal with things you want to hear about.
NOW the fun part comes. Get a good book on TCP/IP (Stevens, ahem), write a loop to read
What happens now is up to you. I recommend tracking the stuff and logging a generic message *once* per lamer that's scanning you. You can even get creative and add a DROP rule for the twit to thwart any future checking. Just system() out to ipchains and be done with it.
What about windows victims? (Score:1)
SupremeOverlord
Re:What about windows victims? (Score:2)