[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: port-scanning. advise?



On Sun, Jan 14, 2001 at 02:22:43PM +0200, Konstantinos Margaritis wrote:
> 
> (Taken Noah's advice and subscribed :)
> 
> On Sun, 14 Jan 2001, Bradley M Alexander wrote:
> 
> > The problem with this is that you can't prove a negative. You can prove
> > that you _have_ been broken into, but you cannot prove that you _haven't_.
> > 
> > The same is true for your machines. You can prove that they are not secure,
> > but you cannot prove with 100% assurance that they are secure.
> 
> That is my main cause of concern. As it is, I see my machine and locate no
> breach of security, at least having checked all files that I would think
> would look as compromised. What if this guy is a really good hacker and
> knows how to cover his tracks?

Fortunately, that is the vast minority of the hacker community. But the
true professionals are probably not gunning for your home machine.
Ordinarily they are the ones that are doing industrial espionage,
intelligence etc. Not hacking home machines. However, securing your
machines and staying aware is still the best advice.

> > I do agree that reporting a portscan is probably overkill. But you should
> > at least note where it is coming from and what they are scanning.
> 
> Actually, I noted the ips, mailed the log file to another mail address
> on another machine (so that I know he doesn't tamper with the log files
> without me noticing), denied all access from these ips in the firewall
> setup and am now paying close attention to strange behaviour that
> comes up.

There is actually a method for encrypting your logs to a centralized log
server. 

> > Or it is possible to use spoofed addresses from most modern portscanners.
> 
> That would mean he would have to be in a machine near to mine
> right? (connection-wise, at least)

Not at all. nmap -D slashdot.org,freshmeat.net,some.server.in.jp,microsoft.com...
Thats all it would take and I could spoof it to look like servers from all
over the world were scanning you. Not only that, I could use a -T paranoid
option and your portscan detector probably wouldn't detect the scan, at the
cost of the scan taking a looong time.

> Otherwise any response I sent would go to the true owner of the spoofed
> address. How could he tamper with all routing tables of the intermediate
> routers?

But in the case of a spoofed address, you would be sending several
administrators on a wild-goose chase, because there is nothing wrong with
their servers. The scan was just made to _look_ like they originated
from there.

-- 
--Brad
============================================================================
Bradley M. Alexander, CISSP              |   Co-Chairman,
Beowulf System Admin/Security Specialist |    NoVALUG/DCLUG Security SIG
Winstar Telecom                          |   balexander@winstar.com
(703) 889-1049                           |   storm@tux.org
============================================================================
Don't look conspicuous, it draws fire.
						--Murphy's Laws of Combat

Attachment: pgpfD4Kz7XrXO.pgp
Description: PGP signature


Reply to: