* Portscan logging?
@ 2002-10-14 0:03 Sven Schuster
2002-10-14 1:16 ` Roger
0 siblings, 1 reply; 2+ messages in thread
From: Sven Schuster @ 2002-10-14 0:03 UTC (permalink / raw)
To: netfilter
Hello everybody,
I'm currently using iptables v1.2.5 on a redhat linux 7.3 machine to
block new incoming requests on my internet router (dial on demand via
ISDN). TCP requests are answered with a ICMP-Port-Unreachable, and all
the rest is DROPPED by the default policy.
The thing is, I'd like to log all portscans from the "outer world", just
to know who's interested in my system :-) I got scanlogd, compiled and
installed it, and it really works fine, as long as the iptables rules
are down and the default policy is ACCEPT. But when I put in all my
rules, the scanlogd doesn't log any portscans from the internet. I think
that is because the packets are already dropped in the kernel by the
iptables module, am I right??
And know my question is if there's a chance to log portscans (maybe also
the different kinds??) via some iptables-rules, an extra iptables-module
or any other tool?? I hope that somebody knows something about it,
because I think it's very nice to see how much people try to find holes
in any system...it's already quite interesting to review the Apache-Logs
everyday, with peoples thinking there's an IIS running on my system :-)))
Thanks in advance for your tips!!!
Greetings
Sven
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Portscan logging?
2002-10-14 0:03 Portscan logging? Sven Schuster
@ 2002-10-14 1:16 ` Roger
0 siblings, 0 replies; 2+ messages in thread
From: Roger @ 2002-10-14 1:16 UTC (permalink / raw)
To: Sven Schuster; +Cc: netfilter
Around Mon,Oct 14 2002, at 02:03, Sven Schuster, wrote:
> Hello everybody,
> are down and the default policy is ACCEPT. But when I put in all my
> rules, the scanlogd doesn't log any portscans from the internet. I think
> that is because the packets are already dropped in the kernel by the
> iptables module, am I right??
>
> And know my question is if there's a chance to log portscans (maybe also
> the different kinds??) via some iptables-rules, an extra iptables-module
> or any other tool?? I hope that somebody knows something about it,
> because I think it's very nice to see how much people try to find holes
> in any system...it's already quite interesting to review the Apache-Logs
> everyday, with peoples thinking there's an IIS running on my system :-)))
use the logging feature.
iptables -I INPUT -t tcp -j LOG --log-prefix "IPTABLES-IN "
would log *any* inbound tcp connection to syslog. Including traffic
you have created (the return of an HTTP or FTP session)
You could pick a couple of ports and set logging on those ports:
iptables -I INPUT -t tcp --dport 80 -j --log-prefix "IPTABLES-IN "
would log any ports that attempt a scan of your port 80. Your outbound
HTTP would not be picked up by this.
I use IN as part of my INPUT log prefix, and OUT as part of my OUTPUT log
prefix, it makes it easier to track.
Roger
--
roger@efn.org
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-10-14 1:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-14 0:03 Portscan logging? Sven Schuster
2002-10-14 1:16 ` Roger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox