The half syn attack of nmap basically does not open full connection to the
port. It only sends beautifully crafted packet with syn bit set. If the post
is open sys:ack packet is received and if the port is closed rst packet is
received. Then nmap immediately closes the connection, which server ( and
the kernel ) fails to record thinking that it was a bad packet. It is
normal behavior and as per RFC.
The tcp/ip stuff is handled directly by the kernel hence kernel has to
be patched to detect such type of packets. The newer kernel 2.x and above
had
such facility but by default it is disabled. One has to enable and recompile
the kernel.
IMHO non of the program available can detect these of attack unless the
kernel has the facility to log such packets.
I feel all the server admin on this list should check their server with nmap
for open ports and also check if the nmap scan is being logged.
nmap is most popular port scanner in the word and incidentally it is
available on recent months pcq CD.
Best Regards,
M.S.Deshmukh,
Director.
Beta Computronics Pvt. Ltd.
Web Site - http://betacomp.com
-----Original Message-----
From: Sathya Rangaswamy <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
<[EMAIL PROTECTED]>
Date: Monday, June 05, 2000 8:38 PM
Subject: Re: [LIH] tools for hacking on linux
>Suresh Ramasubramanian wrote:
>
>> Raju Mathur saw fit to inform LI that:
>>
>> >Sorry, tripwire is for checking integrity of system files, and anyway
>> >newer versions are commercial now. There is a free clone being
>> >developed. What you're looking for, however, is portsentry, which
>> >recognises portscans and blocks offenders.
>>
-----------------------------------------------------------------------
LIH is all for free speech. But it was created for a purpose - to help
people discuss issues about installing and running Linux. If your
messages are counterproductive to this purpose, your privileges to
submit messages can and will be revoked.
