Problem with someone port scanning me
For the past couple of days I've had someone on our lan port scanning my box. Not sure what's up with that, but I'm curious if there's a way to log what IP address this is coming from. I don't have IPFW enabled yet as I haven't had the time to configure it at this point as it's currently behind the company firewall on our T3. Is there a way to log where it's coming from? Or is that already being logged somewhere? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with someone port scanning me
On 12 February, 2004, at 11:12 (-0500) Dragoncrest [EMAIL PROTECTED] wrote: For the past couple of days I've had someone on our lan port scanning my box. Not sure what's up with that, but I'm curious if there's a way to log what IP address this is coming from. I don't have IPFW enabled yet as I haven't had the time to configure it at this point as it's currently behind the company firewall on our T3. Is there a way to log where it's coming from? Or is that already being logged somewhere? The snort port (/usr/ports/security/port) can help. -Brian Clapper, bmc @ clapper.org, http://www.clapper.org/bmc/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with someone port scanning me
On Thu, 12 Feb 2004 11:12:53 -0500 Dragoncrest [EMAIL PROTECTED] granted us these pearls of wisdom: For the past couple of days I've had someone on our lan port scanning my box. Not sure what's up with that, but I'm curious if there's a way to log what IP address this is coming from. I don't have IPFW enabled yet as I haven't had the time to configure it at this point as it's currently behind the company firewall on our T3. Is there a way to log where it's coming from? Or is that already being logged somewhere? I wonder if you might get some benefit from a couple of simple IPF rules and a quick portsentry install. /etc/ipf.rules pass in log on interface0 from any to any pass out log on interface0 from IP to any with the appropriate startup would give you a good idea of the IP address the scan is comming from. Whether your DHCP server admin will tell you who that address is is a different matter. HTH LK ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with someone port scanning me
On Thu, Feb 12, 2004 at 11:12:53AM -0500, Dragoncrest wrote: For the past couple of days I've had someone on our lan port scanning my box. Not sure what's up with that, but I'm curious if there's a way to log what IP address this is coming from. I don't have IPFW enabled yet as I haven't had the time to configure it at this point as it's currently behind the company firewall on our T3. Is there a way to log where it's coming from? Or is that already being logged somewhere? As a temporary measure you could always enable 'log_in_vain' via sysctl: sysctl net.inet.tcp.log_in_vain=1 sysctl net.inet.udp.log_in_vain=1 adding: log_in_vain=YES to /etc/rc.conf if you want this functionality to be enabled at boot time. This configures the freebsd kernel to log any connection attempts made via udp or tcp to ports that are not open (ie log connection attempts made in vain). You'd then want to make sure syslogd is configured to log the info to a file: kernel.debug/var/log/kern_debug.log although this will probably dump a lot of other stuff to /var/log/kern_debug.log as well - see syslog(8) and syslog(5) for more info on configuring syslog - or google for: sysctl log_in_vain syslog.conf :P Note also importantly - log_in_vain is a _very_ poor substitute for a firewall for logging this kind of info. HTH -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - Another FreeBSD Diary http://ipfwstats.sf.net/- ipfw peruser traffic logging ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with someone port scanning me
On Thu, 12 Feb 2004 11:12:53 -0500 Dragoncrest [EMAIL PROTECTED] wrote: For the past couple of days I've had someone on our lan port scanning my box. Not sure what's up with that, but I'm curious if there's a way to log what IP address this is coming from. I don't have IPFW enabled yet as I haven't had the time to configure it at this point as it's currently behind the company firewall on our T3. Is there a way to log where it's coming from? Or is that already being logged somewhere? man tcpdump ports/net/ethereal netcat? (ports/net/nc). If connections are to a specific port and protocol are tcp you can set up nc to listen for connections on this port. Once a connection is established you might get some info, e.g. see what requests are made. A while ago I started getting an absurd number of requests (+30k in an afternoon on my standalone home computer), using netcat I found out that it was requests from kazaa clients... (and no, I don't run kazaa but I'm on dhcp so I obviously got a bad ip). ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with someone port scanning me
Thanks. I'm gonna give this one a spin. Gonna keep scanlogd in the back of my mind as something else to try should this not work. Thanks. One last question. Does IPF work by default or do I have to do anything special? And I'm assuming I just type IPF at the command line and the program does the rest? On Thu, 12 Feb 2004 11:12:53 -0500 Dragoncrest [EMAIL PROTECTED] granted us these pearls of wisdom: For the past couple of days I've had someone on our lan port scanning my box. Not sure what's up with that, but I'm curious if there's a way to log what IP address this is coming from. I don't have IPFW enabled yet as I haven't had the time to configure it at this point as it's currently behind the company firewall on our T3. Is there a way to log where it's coming from? Or is that already being logged somewhere? I wonder if you might get some benefit from a couple of simple IPF rules and a quick portsentry install. /etc/ipf.rules pass in log on interface0 from any to any pass out log on interface0 from IP to any with the appropriate startup would give you a good idea of the IP address the scan is comming from. Whether your DHCP server admin will tell you who that address is is a different matter. HTH LK ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]