Today, Kenneth E. Lussier gleaned this insight:
> I would disagree that port scans are not hostile in nature. A port
> scan is, 99.999% of the time, the prelude to a crack. Crackers don't
> just randomly try things. They find out what ports are open, test the
> services that could be running on those ports, they read up on the
> exploits for a particular service on the OS that you are running, then
> they crack your system.
Well, I disagree with you. This argument comes up very often. I was on
some firewall mailing lists etc. for quite some time, and from the posts
there, and a lot of times port scans come from badly configured network
managment tools. There are conceivably other explanations (curious kid
playing with a new toy... but without intention of breaking in, etc.).
That's not to say that many, or even most port scans are followed by an
attack, but many are not.
The scan itself is harmless... wait until they DO something to get your
feathers ruffled.
> With that said, my recommendations are :
> 1) Take a look at PortSentry (http://www.psionic.com/abacus/), or the
> entire abacus suite of tools. It watches your ports, and it can block IP
> addresses on the fly. I have my system to set up as soon as someone hits
> port 0.
>
> 2) REVIEW YOUR LOGS!!!! All too often, I hear people say things like
> "Yeah, we log everything, and I look through them at least once a week".
> I hate hearing that. I look at my logs a few times a day (actually, any
> security violations and/or enomolies are e-mailed to me every hour on
> the hour ;-). Do an nslookup on the IP addresses. Look at the ports they
> start and stop at. Look at the protocols they use.
>
> 3) If the offender is traceable (and most people are), inform both your
> ISP and their ISP about the activity. Send them both excerpts of your
> logs showing the activity. If their ISP shuts them down, they will just
> get another ISP, but chances are that they will move on to another
> intended victem.
All of this is good advice.
> So, there they are. My recommendations and thoughts. One thing to keep
> in mind: NEVER SCAN OR ATTACK THEM BACK!!!! That is considered a
> violatuion of US Title 18(c), and you can be prosecuted for it.
> Although, IMHO, there should be room for a Digital Self-Defence Act ;-)
Eye for an eye, tooth for a tooth.
Except IP addresses are easy to spoof.
I agree in principal you should be able to do something to defend
yourself, but all too often you'll just be attacking some third party,
thanks to the wonders of IP spoofing. Therein lies the problem.
--
PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
[EMAIL PROTECTED] | [EMAIL PROTECTED]
------------------------------------------------------
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
