Re: i've been port scanned. now what

To: debian-security@lists.debian.org
Subject: Re: i've been port scanned. now what
From: Tim van Erven <tripudium@chello.nl>
Date: Tue, 6 Mar 2001 01:48:04 +0100
Message-id: <[🔎] 20010306014803.A23334@Chello.nl>
Mail-followup-to: Tim van Erven <tripudium@chello.nl>, debian-security@lists.debian.org
In-reply-to: <[🔎] 003101c0a5c4$e562bbc0$57ceec91@daniel>; from iwo@matavnet.hu on Mon, Mar 05, 2001 at 11:37:17PM +0100
References: <[🔎] 003101c0a5c4$e562bbc0$57ceec91@daniel>

On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szab? D?niel <iwo@matavnet.hu> wrote:
> My packet filter ruleset catched somebody on port scanning one of our host.
> He or she tryed to scan a very big port range from tcp 1 up to 32000 (think
> with nmap), but my packet filter denied his/her queries (the kernel
> generated 1 mb log in 3 minutes with the denied packets). I have his/her
> ipv4 address, and i would like to ask, what should i do know? i figured out
> from the ripe.net whois db, that the ip is owned by one of the ISP's from my
> country, is it possible, that the scanner cracked the isp's machine, then
> pushed the scan from there?

The scanner is probably connected to the internet through that
ISP.

Your response to the scan should probably depend on your opinion
on portscans in general. Some people believe portscans are only
used by crackers. If you agree with them a possible response to
the scan is sending a mail with the IP of the scanner, the exact
time of the scan and any other information you think might be
relevant to abuse@the_ISP_in_your_country.hu.

On the other hand, if you agree with people who believe
portscans have legitimate uses (like finding out if someone is
providing an ftp-server) you should probably do nothing since
the scan was very general and not targeted at ports that are
likely to have exploitable services on them). This is my current
point of view.

There's been a discussion about portscans not to long ago on
debian-security (and probably any security related mailinglist)
btw.

Finally, one note of warning: whatever you do, don't try to
think of portscans in terms of what I'd call the '(breaking in
to)/(looking at a) house'-metaphor. IMHO it does not provide a
suitable mapping of the situation to one in real life at all and
I find it rapidly becoming very anoying.

Tim

ps. This is *not* an invitation to start another discussion
about portscans. The issue has been beaten to death already and
I'm convinced a simple google search will provide excellent
writings about all views on the subject.

-- 
Tim van Erven
tripudium@chello.nl
talerven@wins.uva.nl

Reply to:

References:
- i've been port scanned. now what
  - From: Szabó Dániel <iwo@matavnet.hu>

Prev by Date: Re: i've been port scanned. now what
Next by Date: Re: i've been port scanned. now what
Previous by thread: RE: i've been port scanned. now what
Next by thread: Re: i've been port scanned. now what
Index(es):
- Date
- Thread