Nmap Announce mailing list archives

Re: can/should

From: Security <security () securify darktech org>
Date: Wed, 24 May 2000 09:41:33 -0400 (EDT)

On Tue, 23 May 2000, Barry Hudson wrote:

As a new firewall admin I have a question for the white hats.
I log port scans and do a whois to locate the ISP that owns the ip
address. 
My questions is what else can/should be done.  I have no other reason to
believe they got through or committed any crime.  What else are you guys
doing?  I  hope this is not to far off topic..


First, I agree. I monitor connections/scans and log/check those who trip
my security. 
I use http://www.arin.net/cgi-bin/queryinput=xxx.xxx.xxx.xxx to dump the
whois info for offending IPs. I need a better URL to show all domain infos
but it appears that internic has been divided into 100's of pieces.

A traceroute is good for incoming connects to verify them.
We do a nmap -sTUV -F -I -O $remote_ip just to get a hint at who is
scanning me. I also run portsentry (linked to nmap) to detect other ports
such as NetBus, BackOrifice, and the realated tools.

I keep my logs avaliable via my http server so anyone interested in why
they were scanned can see the reason and results. 
A NETBIOS lookup is also a good idea if it is a windows box. Quite often
you get the name of the scanner or his system anyhow.

I post my inbound connects/return-scan(.sh)'s to an IRC channel so other
admins I know can keep tabs on them.

Slightly off topic... but:
Does fydor or anyone have a patch so I can specify a list of services
to check from a seperate file? such as nmap winboxen -from abused.portlist
? I would like to have a secondary services list of only trojans and
backdoors. I scan my LAN for trojans (Educational systems) but would like
to specify a large number of ports without actually editing nmap-services
or services.

Thanx.

Mike

Barry S. Hudson 
Network Systems Manager 
Fredericksburg Savings Bank 
www.fsbnk.com 
Business Email - bhudson () fsbnk com 
All Other Email - barryhudson () compuserve com

This email is intended for the addressee only.
The material may be privileged and confidential information.
If you have received this email in error, please notify me immediately
by email and delete the original.  Thank you.


Nice disclaimer.

 security () securify darktech org <Mike>
 Security Admin
 SecuriFy

[ All contents (c) SecuriFy, 1999-2000 Unless otherwise copyrighted ]
[ Please view our Disclaimer ]

Current thread:

can/should Barry Hudson (May 23)
- Re: can/should Mr. Man (May 24)
- Re: can/should Security (May 24)
  - Re: can/should Thomas Reinke (May 24)
  - Re: can/should Ola Nyström (May 25)
- Re: can/should Jose Nazario (May 24)
- Re: can/should Eric Hancock (May 24)
- Re: can/should Bennett Todd (May 24)
- <Possible follow-ups>
- RE: can/should Gallicchio, Florindo (2282) (May 24)
- RE: can/should Dion Stempfley (May 24)
  - RE: can/should Sean Ellis (May 24)
- RE: can/should Crye, Michael (May 24)
- RE: can/should Jonathan Day (May 25)

(Thread continues...)