Re: Scanning hosts connecting to a linuxbox.

[Rasmus Andersson <joyride () hem1 passagen se>]

Interesting thought. I don't want to hack the kernel, so how about
letting ipfwadm log to syslog facility (with -o ) and just watch the
logs (to "kern" facility) with a Perl script or whatever? A log entry
looks like this:

Jan 19 18:11:49 idefix kernel: IP fw-in rej eth0 UDP 23.4.5.23:4924
123.4.5.6:2049 L=112 S=0x00 I=30795 F=0x0000 T=128

So we might cut out the source address, check if it's worth scanning
(i.e. not an RFC 1918 or localhost or something, and not one of our
friends) and just hit it. Thanks for giving me the idea. Also, if he is
obviously a very bad guy (checking for netbus or something) we could
fire off Patriot missiles on him :-)

The watcher script could set some environment variables (source address,
destination port etc.) and call another script where we do the nmap
scans and whatever we want. A check should be done so not doing it twice
on the same target within a given time.

Ouch... there goes my weekend :)

/Rasmus


"Mike A. Harris" wrote:

> I am connected via dialup PPP to the net, and I run a simple
> firewall.  Normally, there is no need whatsoever for someone to
> be connecting to any services running on my machine.  Most of the
> time the machine has no visible external service running anyways,
> thanks to the firewall, and tcpwrappers, however occasionally I
> run ssh/telnet/ftp/http for someone, or for remote access to my
> machine.
>
> Due to people portscanning my ISP, I've found many scan attempts
> and breakin attempts on my box - none successful of course, but I
> like to be paranoid about security so...
>
> I would like to somehow have nmap run a scan of my choosing on
> any hosts attempting a connect to any of my ports, either via
> tcpwrappers, or the firewall.
>
> Can someone either explain how to do this, or point me to the
> proper documentation/manuals, etc..  I've got an idea allready
> how to do it with tcpwrappers, but I draw a blank on doing it
> with the firewalled ports.
>
> I'd like to have nmap log the remote OS, and do
> finger/smtp/ident/etc... scans on the remote machine.
>
> I am fairly familiar with nmap itself, so I can figure out that
> part, but how do I get the services to auto call nmap with the
> remote machines IP?
>
> Admittedly, I haven't searched for any docs on my system that
> might explain this allready...  Feel free to point me to them or
> an FAQ however.
>
> Thanks in advance, TTYL
>
> --
> Mike A. Harris                   Linux advocate      GNU advocate
> Computer Consultant                          Open Source advocate
>
> News for nerds, stuff that matters:           http://slashdot.org