Re: port scan identification - John A. Sullivan III

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: netfilter@lists.netfilter.org
Subject: Re: port scan identification
Date: Wed, 09 Jun 2004 12:51:00 -0400	[thread overview]
Message-ID: <1086799860.14435.49.camel@localhost> (raw)
In-Reply-To: <40C73CCA.4070804@wanadoo.fr>

On Wed, 2004-06-09 at 12:37, Rakotomandimby Mihamina wrote:
> John A. Sullivan III wrote:
>  > Hope this helps - John
> 
> it does !
> but :
> 
> if i 'tail -f' my web server access log and the iptables log, I notice 
> those "port_scan" are done when visitors are visiting my site : same 
> time, same IP. I dont think each visitor would want to hack me.
> 
> My conclusion is my rule is not very good, as well as the logged packet 
> is dropped, it would decrease accuracy of the website. What should i do 
> to make it better ? I still want to keep port scan prevention, but want 
> to avoid dropping non-offending packets ... but if you think the website 
> accuracy wouldnt be down for that reason, i will keep it as it is ...
Hmmm . . . I assume what you are trying to do is pick up all packets
with the RST flag on that are not part of a current session, such as
those used to probe a site.

I'm a little rusty on when RSTs are sent.  If they are part of the
packet stream, then I would think conntrack will pick it up and the
legitimate RSTs would never hit your rule.  I assume you are using
conntrack.  However, are RSTs sent when a stream is broken and thus sent
as a separate data stream? I'd have to pull out an IP book to review the
RST flag and why it would not be matched in conntrack.  Does anyone else
know off the top of their head?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

next prev parent reply	other threads:[~2004-06-09 16:51 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-06-09  9:33 port scan identification Rakotomandimby Mihamina
2004-06-09  9:30 ` Patrick Leslie Polzer
2004-06-09 10:31 ` Raileanu Grigore
2004-06-09 11:43 ` John A. Sullivan III
2004-06-09 16:37   ` Rakotomandimby Mihamina
2004-06-09 16:51     ` John A. Sullivan III [this message]
2004-06-09 17:04       ` Antony Stone
  -- strict thread matches above, loose matches on Subject: below --
2004-06-09 15:43 Hudson Delbert J Contr 61 CS/SCBN
2004-06-09 16:22 ` Raileanu Grigore
2004-06-08 21:55 Rakotomandimby Mihamina
2004-06-10 10:37 ` Antony Stone

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1086799860.14435.49.camel@localhost \
    --to=john.sullivan@nexusmgmt.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.