Re: monitor the log for nmap activities

[Todd Haverkos <infosec () haverkos com>]

John Hunter <johnny.h.hunter () gmail com> writes:

> Hello all:
>
> I am using nmap to hit my home Linux server for testing. Now I have
> two questions:
>
> 1. Supposed my Linux server's name is "HappyHome", I can do "namp
> HappyHome" inside my home network, or I can do "nmap
> HappyHome.XXXXX.com", while "HappyHome.XXXXX.com is the domain name I
> registered for my home server. In the latter case, is it the same like
> attacking from outside internet? Even though I actually perform the
> tests from the same machine in my home network?

Generally this isn't really the same and your from-the-LAN scan will
generally show more open ports than a true internet based scan would.
Without knowing whether you're using NAT, a hardware router or
firewall, whether you're using a host based firewall and what the IP's
in question are, it'd be hard to conjecture further.  Generally
though, it's a safe assumption though that your scan results from
HappyHome will be a superset of what you'd see from the Internet to
HappyHome.XXXXX.com.   You can get a free from the internet scan at
... (hrmm broadbandreports.com took theirs down so I can't believe I'm
pasting this)  https://www.grc.com/x/ne.dll?bh0bkyd2   among other
places.
http://www.qualys.com/forms/trials/qualysguard_freescan_landing/
requires a form to fill out but they are a well known vendor. 

> 2. How can I find the logging info from the home Linux? I guess if I
> tried stealthy option "-sS", the hit might have evaded the detection,
> but when I used "-sT", I still can't find any trace from
> /var/log/messages or /var/log/syslog, if I barked at the wrong tree,
> where else should I look?

Syn scans aren't as stealthy as they used to be.  If there's any IPS
in use, an IPS will see a syn (aka "half open" aka "stealth") scan
coming from a mile away, however without a full tcp connect daemons
that only log full connects will indeed fail to cut any log entries. 

Whether you get anything in your syslogs varies highly on your
configuration.  What services are you running, what their logging
levels are set to, what you've configured syslog to log in
/etc/syslog.conf (and where), if you're running a host based firewall
such as iptables, how it's configured to log and to where, etc.

If you want to have visibility to such activity, look into a network
intrustion detection program.  Snort is extremely popular and free.
http://www.snort.org/ 

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------