port-scanning. advise?
Hi,
I hope this is the right list for such matters.
Looking at my firewall computer's logs I noticed something strange.
Random connections to specific ports (1, 21, 22, 23, 79, 98, 111) from
4 specific addresses. Each address tried to connect to subset of the
ports. Thankfully, the firewall (ipchains-based) denied all of these
connections. For those that passed the firewall, the daemons
(ssh, ftp, I don't run telnet) refused connections themselves, as there
was a hostname/ip address mismatch. I have denied all access to all 4
machines now, but I would like to know what is the proper process for such
a thing. Is port-scanning considered vandalism? Should I report the
addresses to somewhere?
What makes me curious is the fact that no ip came from the same
geographical area. Literraly the ips resolved to machines from all the
continents of the world! As if I was under global attack! :-)
Of course these could be spoofed, but surely that is a really tough feat
just for port-scanning.
Lastly, what tool should be considered good for periodic checks on the
system files? tripwire? cops? i know tripwire is packaged but is there a
better alternative, tripwire being non-free and all that...
Thanks for any help.
Konstantinos Margaritis
PS. I am not in the list, so I would appreciate it if you cc'd your
replies to me.
Reply to: