Re: Portscan logging?

[Roger <roger@efn.org>]

Around Mon,Oct 14 2002, at 02:03,  Sven Schuster, wrote:
> Hello everybody,
> are down and the default policy is ACCEPT. But when I put in all my 
> rules, the scanlogd doesn't log any portscans from the internet. I think 
> that is because the packets are already dropped in the kernel by the 
> iptables module, am I right??
> 
> And know my question is if there's a chance to log portscans (maybe also 
> the different kinds??) via some iptables-rules, an extra iptables-module 
> or any other tool?? I hope that somebody knows something about it, 
> because I think it's very nice to see how much people try to find holes 
> in any system...it's already quite interesting to review the Apache-Logs 
> everyday, with peoples thinking there's an IIS running on my system :-)))
use the logging feature.

iptables -I INPUT -t tcp  -j LOG --log-prefix "IPTABLES-IN "

would log *any* inbound tcp connection to syslog.  Including traffic 
you have created (the return of an HTTP or FTP session)

You could pick a couple of ports and set logging on those ports:

iptables -I INPUT -t tcp --dport 80  -j --log-prefix "IPTABLES-IN "  

would log any ports that attempt a scan of your port 80.  Your outbound 
HTTP would not be picked up by this.
I use IN as part of my INPUT log prefix, and OUT as part of my OUTPUT log 
prefix, it makes it easier to track.

Roger

-- 
roger@efn.org