Re: port-scanning. advise?
(Taken Noah's advice and subscribed :)
On Sun, 14 Jan 2001, Bradley M Alexander wrote:
> The problem with this is that you can't prove a negative. You can prove
> that you _have_ been broken into, but you cannot prove that you _haven't_.
>
> The same is true for your machines. You can prove that they are not secure,
> but you cannot prove with 100% assurance that they are secure.
That is my main cause of concern. As it is, I see my machine and locate no
breach of security, at least having checked all files that I would think
would look as compromised. What if this guy is a really good hacker and
knows how to cover his tracks?
> I do agree that reporting a portscan is probably overkill. But you should
> at least note where it is coming from and what they are scanning.
Actually, I noted the ips, mailed the log file to another mail address
on another machine (so that I know he doesn't tamper with the log files
without me noticing), denied all access from these ips in the firewall
setup and am now paying close attention to strange behaviour that
comes up.
> Or it is possible to use spoofed addresses from most modern portscanners.
That would mean he would have to be in a machine near to mine
right? (connection-wise, at least)
Otherwise any response I sent would go to the true owner of the spoofed
address. How could he tamper with all routing tables of the intermediate
routers?
> Tripwire version 2.2.1 for Linux has been released to GPL and is available
> from their website, http://www.tripwiresecurity.com. there is no listing
> there of version 2.3, so 2.2.1 seems to be the latest and greatest.
>
> There is also AIDE, the Advanced Intrusion Detection Environment, which is
> also packaged.
I'll give both a look. Although I got really interested to LIDS, which
seems to offer a unique approach to security...
In any case, thanks for the really valuable help.
Konstantinos Margaritis
Reply to: