I would disagree that port scans are not hostile in nature. A port
scan is, 99.999% of the time, the prelude to a crack. Crackers don't
just randomly try things. They find out what ports are open, test the
services that could be running on those ports, they read up on the
exploits for a particular service on the OS that you are running, then
they crack your system.
With that said, my recommendations are :
1) Take a look at PortSentry (http://www.psionic.com/abacus/), or the
entire abacus suite of tools. It watches your ports, and it can block IP
addresses on the fly. I have my system to set up as soon as someone hits
port 0.
2) REVIEW YOUR LOGS!!!! All too often, I hear people say things like
"Yeah, we log everything, and I look through them at least once a week".
I hate hearing that. I look at my logs a few times a day (actually, any
security violations and/or enomolies are e-mailed to me every hour on
the hour ;-). Do an nslookup on the IP addresses. Look at the ports they
start and stop at. Look at the protocols they use.
3) If the offender is traceable (and most people are), inform both your
ISP and their ISP about the activity. Send them both excerpts of your
logs showing the activity. If their ISP shuts them down, they will just
get another ISP, but chances are that they will move on to another
intended victem.
So, there they are. My recommendations and thoughts. One thing to keep
in mind: NEVER SCAN OR ATTACK THEM BACK!!!! That is considered a
violatuion of US Title 18(c), and you can be prosecuted for it.
Although, IMHO, there should be room for a Digital Self-Defence Act ;-)
Kenny
--
Kenny Lussier
Systems Administrator
Mission Critical Linux
***********************************
The road to happiness is paved
with potholes. The road to
Hell is paved with good intentions.
Does the DPW know about this??
***********************************
Randy Edwards wrote:
>
> I recently installed a program written by Solar Designer called
> "scanlogd". This is a tool which helps with the information overflow
> generated by the syslog system; in short the program detects port scans and
> logs them to a file/tty.
>
> I'm pretty shocked at how hard I'm getting hit by port scans. While I
> know there are not "hostile" in nature, to me they're fairly close to it.
>
> So what I was wondering is what are the rules of net etiquette about port
> scans. In short, how do others perceive and react to them?
>
> --
> Regards, | Debian GNU/Linux - http://www.debian.org - More software than
> . | *any* distribution, rock solid reliability, quality control,
> Randy | seamless upgrades via ftp or CD-ROM, strict filesystem layout,
> | adherence to standards, and militantly 100% FREE GNU/Linux!
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
