Nmap Announce mailing list archives
Re: can/should
From: Security <security () securify darktech org>
Date: Wed, 24 May 2000 09:41:33 -0400 (EDT)
On Tue, 23 May 2000, Barry Hudson wrote:
As a new firewall admin I have a question for the white hats. I log port scans and do a whois to locate the ISP that owns the ip address. My questions is what else can/should be done. I have no other reason to believe they got through or committed any crime. What else are you guys doing? I hope this is not to far off topic..
First, I agree. I monitor connections/scans and log/check those who trip my security. I use http://www.arin.net/cgi-bin/queryinput=xxx.xxx.xxx.xxx to dump the whois info for offending IPs. I need a better URL to show all domain infos but it appears that internic has been divided into 100's of pieces. A traceroute is good for incoming connects to verify them. We do a nmap -sTUV -F -I -O $remote_ip just to get a hint at who is scanning me. I also run portsentry (linked to nmap) to detect other ports such as NetBus, BackOrifice, and the realated tools. I keep my logs avaliable via my http server so anyone interested in why they were scanned can see the reason and results. A NETBIOS lookup is also a good idea if it is a windows box. Quite often you get the name of the scanner or his system anyhow. I post my inbound connects/return-scan(.sh)'s to an IRC channel so other admins I know can keep tabs on them. Slightly off topic... but: Does fydor or anyone have a patch so I can specify a list of services to check from a seperate file? such as nmap winboxen -from abused.portlist ? I would like to have a secondary services list of only trojans and backdoors. I scan my LAN for trojans (Educational systems) but would like to specify a large number of ports without actually editing nmap-services or services. Thanx. Mike
Barry S. Hudson Network Systems Manager Fredericksburg Savings Bank www.fsbnk.com Business Email - bhudson () fsbnk com All Other Email - barryhudson () compuserve com
This email is intended for the addressee only. The material may be privileged and confidential information. If you have received this email in error, please notify me immediately by email and delete the original. Thank you.
Nice disclaimer. security () securify darktech org <Mike> Security Admin SecuriFy [ All contents (c) SecuriFy, 1999-2000 Unless otherwise copyrighted ] [ Please view our Disclaimer ]
Current thread:
- can/should Barry Hudson (May 23)
- Re: can/should Mr. Man (May 24)
- Re: can/should Security (May 24)
- Re: can/should Thomas Reinke (May 24)
- Re: can/should Ola Nyström (May 25)
- Re: can/should Jose Nazario (May 24)
- Re: can/should Eric Hancock (May 24)
- Re: can/should Bennett Todd (May 24)
- <Possible follow-ups>
- RE: can/should Gallicchio, Florindo (2282) (May 24)
- RE: can/should Dion Stempfley (May 24)
- RE: can/should Sean Ellis (May 24)
- RE: can/should Crye, Michael (May 24)
- RE: can/should Jonathan Day (May 25)
(Thread continues...)