Nmap Announce mailing list archives
Re: Scanning hosts connecting to a linuxbox.
From: Lance Spitzner <spitzner () dimension net>
Date: Sun, 14 Feb 1999 16:04:48 -0500 (EST)
On Fri, 12 Feb 1999, Simple Nomad wrote: Simple Nomad brings up an excellent point, if you counter scan everyone that scans you, you may be setting up yourself (and them) for a DOS attack. A simple way to fix that is to "counter scan" systems only once. I have my system setup to log all scan attempts. When I'm scanned a script looks for the $src_ip in the log file (via grep). If it does not find the $src_ip, then this is a new system and I gather some limited data. If $src_ip is found, then nothing is executed. Though not a perfect solution, it does solve several issues. My $0.02 at least :)
I would like to somehow have nmap run a scan of my choosing on any hosts attempting a connect to any of my ports, either via tcpwrappers, or the firewall. Can someone either explain how to do this, or point me to the proper documentation/manuals, etc.. I've got an idea allready how to do it with tcpwrappers, but I draw a blank on doing it with the firewalled ports.If you are logging everything into a central file, run swatch (do a web search for it). It essentially runs a tail -f on a log file of your choosing and acts upon certain patterns of keywords etc. Being that it is script-based, you can easily parse the IP address from the log entry and do your thing.I'd like to have nmap log the remote OS, and do finger/smtp/ident/etc... scans on the remote machine. I am fairly familiar with nmap itself, so I can figure out that part, but how do I get the services to auto call nmap with the remote machines IP? Admittedly, I haven't searched for any docs on my system that might explain this allready... Feel free to point me to them or an FAQ however.Granted there are a few gotchas in this. Let's say I'm evil script kiddie and I'm running a firewalled system. I've been monitoring the nmap mailing list because I'm leet, and I'm taking notes on who is considering using "reverse scans" and the like. I carefully develop my list of reverse scanning folks and use that for my decoy locations. Now I scan each one of them with a few extra decoys thrown in. Of course my system is firewalling to simply not answer the probes I get from the reverse scan folks. This creates a storm of probe traffic as these systems go nuts scanning each other, thinking each other is a potential bad guy. At best, I manage to get a scan from all of these other machines and my IP is basically lost in the storm. At worse, all of these reverse scan boxes have filled up filesystems with huge logs, and have probably ran out of memory from repeated instances of nmap running. I personally know people who write down who reverse scans them, or get an automated finger if they are fingered etc, and then turn them loose on each other. So play nice, kids.... Simple Nomad // "When viewed as a metaphor for the human thegnome () nmrc org // condition, the humble GNU C compiler www.nmrc.org // becomes an endless enigma."
Lance Spitzner http://www.enteract.com/~lspitz Internetworking & Security Engineer Dimension Enterprises Inc
Current thread:
- Scanning hosts connecting to a linuxbox. Mike A. Harris (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Rasmus Andersson (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Max Vision (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. ace24 (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- RE: Scanning hosts connecting to a linuxbox. Dragos Ruiu (Feb 13)
- <Possible follow-ups>
- RE: Scanning hosts connecting to a linuxbox. Brown, Mark (Feb 12)