Re: OT: port scan
Mario Olimpio de Menezes wrote:
>
> Hi,
>
> One computer where I have Debian installed was scanned
> recently. Someone probed several ports (~20), maybe trying to determine
> the running OS (something like nmap does).
> Do you think this *IS* an attack? I mean, should I report this
> as *AN* attack?
>
> []s,
> Mario
as an admin of several networks connected to the net i usually do not
report port scans to isps. if i see something suspicious i usually just
firewall that ip or that subnet from connecting to me. my main server
gets quite a bit of suspicious connection activity. some if it is really
odd, like 50 connection attempts to port 5555 or something when there is
nothing on that port. i use a program called SCANDETD, its a primative
scan detection program that emails me when it detects scans. its far
from perfect but honestly i really don't have the time to go through
logs for insignificant things such as portscans on a regular basis. if
you maintain a tight system there usually isn't much to worry about
anyways. if your interested in scandetd the output looks like:
Possible port scanning from lnxd105.szif.hu,
I've counted 30 connections.
First connection was made to 1524 port at Sun Nov 26 16:10:18 2000
Last connection was made to 1524 port at Sun Nov 26 16:10:18 2000
Probably it was SYN scan (0 FIN flags and 30 SYN flags)
pretty cool prog. ive caught many things using it. its not very well
known so it may not be on freshmeat.net ..
if you want a copy of it i can try to dig up the source or the url for
it, email me direct. ..
nate
--
:::
ICQ: 75132336
http://www.aphroland.org/
http://www.linuxpowered.net/
aphro@aphroland.org
Reply to:
- References:
- OT: port scan
- From: Mario Olimpio de Menezes <mario@curiango.ipen.br>