RE: Scanning hosts connecting to a linuxbox.

["Brown, Mark" <mbrown () visa com>]

You've opened the eternal can-of-worms :)

I've been fooling around with attacker profiling (reactively gathering data
through nmap, systat, netstat, traceroute, whois@arin, etc.) and found a
number of problems with the concept in my toying:

1. You open yourself up to denial of service attacks.  Let's say I flood
your machine with tons of "scans" with spoofed source IPs.  Your machine
thrashes itself trying to profile all of these "attackers."  If I slip a
real scan in with all of the spoofed ones, it becomes lost in the noise.

2. You (bad guy) and I (good guy) both run profiling -- You scan me, I scan
you back, you scan me back-back, I scan you back-back-back, etc.  Both
machines go nuts looping.

3. By profiling an attacker, you immediately tip your hand.  There's a lot
more information to be gathered by sitting quietly and observing someone who
doesn't know they're being watched.

I've cooked up some half-brained solutions to these problems:

To prevent flooding, I take no immediate action.  I use Abacus Sentry to
monitor common ports that I don't use (IMAP, finger, lpd, etc.).  When a
scan takes place, Abacus does its normal logging to syslog and also writes
the IP to a file instead of immediately kicking off the profiling scripts.
Naturally, this all takes place in it's own partition.

At a reasonable interval, say one minute, that log file of IPs is rotated
out, normalized (removing duplicate entries) and a sanity (flood) check is
performed.  If we logged, for example, 300 new IPs in a minute something is
obviously wrong... probably a flood, or a real scan mixed in with a flood to
mask it.  In this case no automatic profiling is done and the log is flagged
for further human intervention.  The flood rate you set should be based on
the speed and depth of the profiling you do.  YMMV.  The time delay may
cause you to miss profiling someone from a dynamic IP that logged off
immediately following the scan, but c'est la vie.

If the log passes the sanity check, it is passed to the profiling machine (a
totally unrelated box through a different ISP in my case) where the actual
profiling takes place.  Because of the brief time delay and unrelated source
of the profiling, perhaps brain-dead attackers won't put two-and-two
together and realize they've tripped an alarm.

I've been working to get away from Abacus Sentry and integrate this with a
packet-level monitor (Network Flight Recorder).   NFR has the capability to
detect a wide variety of attacks and negates the need to install port-level
monitoring on all the hosts... alas, I've found it all too easy to throw NFR
into hysterics by overloading it.  Something more lightweight is in order
(unless you have unlimited hardware to throw at it).

-----Original Message-----
From: Mike A. Harris [mailto:mharris () ican net]
Sent: Friday, February 12, 1999 12:37 AM
To: nmap-hackers () insecure org
Subject: Scanning hosts connecting to a linuxbox.


I am connected via dialup PPP to the net, and I run a simple
firewall.  Normally, there is no need whatsoever for someone to
be connecting to any services running on my machine.  Most of the
time the machine has no visible external service running anyways,
thanks to the firewall, and tcpwrappers, however occasionally I
run ssh/telnet/ftp/http for someone, or for remote access to my
machine.

Due to people portscanning my ISP, I've found many scan attempts
and breakin attempts on my box - none successful of course, but I
like to be paranoid about security so...

I would like to somehow have nmap run a scan of my choosing on
any hosts attempting a connect to any of my ports, either via
tcpwrappers, or the firewall.

Can someone either explain how to do this, or point me to the
proper documentation/manuals, etc..  I've got an idea allready
how to do it with tcpwrappers, but I draw a blank on doing it
with the firewalled ports.

I'd like to have nmap log the remote OS, and do
finger/smtp/ident/etc... scans on the remote machine.

I am fairly familiar with nmap itself, so I can figure out that
part, but how do I get the services to auto call nmap with the
remote machines IP?

Admittedly, I haven't searched for any docs on my system that
might explain this allready...  Feel free to point me to them or
an FAQ however.

Thanks in advance, TTYL



--
Mike A. Harris                   Linux advocate      GNU advocate
Computer Consultant                          Open Source advocate  

News for nerds, stuff that matters:           http://slashdot.org