Nmap Announce mailing list archives
Re: Scanning hosts connecting to a linuxbox.
From: Rasmus Andersson <joyride () hem1 passagen se>
Date: Fri, 12 Feb 1999 13:36:54 +0100
Interesting thought. I don't want to hack the kernel, so how about letting ipfwadm log to syslog facility (with -o ) and just watch the logs (to "kern" facility) with a Perl script or whatever? A log entry looks like this: Jan 19 18:11:49 idefix kernel: IP fw-in rej eth0 UDP 23.4.5.23:4924 123.4.5.6:2049 L=112 S=0x00 I=30795 F=0x0000 T=128 So we might cut out the source address, check if it's worth scanning (i.e. not an RFC 1918 or localhost or something, and not one of our friends) and just hit it. Thanks for giving me the idea. Also, if he is obviously a very bad guy (checking for netbus or something) we could fire off Patriot missiles on him :-) The watcher script could set some environment variables (source address, destination port etc.) and call another script where we do the nmap scans and whatever we want. A check should be done so not doing it twice on the same target within a given time. Ouch... there goes my weekend :) /Rasmus "Mike A. Harris" wrote:
I am connected via dialup PPP to the net, and I run a simple firewall. Normally, there is no need whatsoever for someone to be connecting to any services running on my machine. Most of the time the machine has no visible external service running anyways, thanks to the firewall, and tcpwrappers, however occasionally I run ssh/telnet/ftp/http for someone, or for remote access to my machine. Due to people portscanning my ISP, I've found many scan attempts and breakin attempts on my box - none successful of course, but I like to be paranoid about security so... I would like to somehow have nmap run a scan of my choosing on any hosts attempting a connect to any of my ports, either via tcpwrappers, or the firewall. Can someone either explain how to do this, or point me to the proper documentation/manuals, etc.. I've got an idea allready how to do it with tcpwrappers, but I draw a blank on doing it with the firewalled ports. I'd like to have nmap log the remote OS, and do finger/smtp/ident/etc... scans on the remote machine. I am fairly familiar with nmap itself, so I can figure out that part, but how do I get the services to auto call nmap with the remote machines IP? Admittedly, I haven't searched for any docs on my system that might explain this allready... Feel free to point me to them or an FAQ however. Thanks in advance, TTYL -- Mike A. Harris Linux advocate GNU advocate Computer Consultant Open Source advocate News for nerds, stuff that matters: http://slashdot.org
Current thread:
- Scanning hosts connecting to a linuxbox. Mike A. Harris (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Rasmus Andersson (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Max Vision (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. ace24 (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- RE: Scanning hosts connecting to a linuxbox. Dragos Ruiu (Feb 13)