Security Basics mailing list archives
Re: monitor the log for nmap activities
From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 16 Aug 2011 13:24:47 -0500
John Hunter <johnny.h.hunter () gmail com> writes:
Hello all: I am using nmap to hit my home Linux server for testing. Now I have two questions: 1. Supposed my Linux server's name is "HappyHome", I can do "namp HappyHome" inside my home network, or I can do "nmap HappyHome.XXXXX.com", while "HappyHome.XXXXX.com is the domain name I registered for my home server. In the latter case, is it the same like attacking from outside internet? Even though I actually perform the tests from the same machine in my home network?
Generally this isn't really the same and your from-the-LAN scan will generally show more open ports than a true internet based scan would. Without knowing whether you're using NAT, a hardware router or firewall, whether you're using a host based firewall and what the IP's in question are, it'd be hard to conjecture further. Generally though, it's a safe assumption though that your scan results from HappyHome will be a superset of what you'd see from the Internet to HappyHome.XXXXX.com. You can get a free from the internet scan at ... (hrmm broadbandreports.com took theirs down so I can't believe I'm pasting this) https://www.grc.com/x/ne.dll?bh0bkyd2 among other places. http://www.qualys.com/forms/trials/qualysguard_freescan_landing/ requires a form to fill out but they are a well known vendor.
2. How can I find the logging info from the home Linux? I guess if I tried stealthy option "-sS", the hit might have evaded the detection, but when I used "-sT", I still can't find any trace from /var/log/messages or /var/log/syslog, if I barked at the wrong tree, where else should I look?
Syn scans aren't as stealthy as they used to be. If there's any IPS in use, an IPS will see a syn (aka "half open" aka "stealth") scan coming from a mile away, however without a full tcp connect daemons that only log full connects will indeed fail to cut any log entries. Whether you get anything in your syslogs varies highly on your configuration. What services are you running, what their logging levels are set to, what you've configured syslog to log in /etc/syslog.conf (and where), if you're running a host based firewall such as iptables, how it's configured to log and to where, etc. If you want to have visibility to such activity, look into a network intrustion detection program. Snort is extremely popular and free. http://www.snort.org/ Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- monitor the log for nmap activities John Hunter (Aug 16)
- Re: monitor the log for nmap activities Todd Haverkos (Aug 16)
- Re: monitor the log for nmap activities Security Auditor (Aug 17)