Nmap Announce mailing list archives
Re: Scanning hosts connecting to a linuxbox.
From: Simple Nomad <thegnome () nmrc org>
Date: Sun, 14 Feb 1999 18:14:51 -0600 (CST)
Is everyone this paranoid? That they reverse scan? I think there needs to be a healthly amount of common sense here. For example if your machine is a dialup box and you do not allow connectivity from the net, only outbound-initiated, does it really warrant a reverse scan for every Class C sweep that hits you? Personally I think not. If your box is a sacrificial lamb in the DMZ, is it normal to expect scans? I mean if your only method to access a web server remotely is via SSH or SRP from a single IP address, does it really warrant reverse scans? Don't get me wrong -- I've done reverse scans, but I usually do them manually after my system has alerted me about a potential problem, and especially if the individual or individuals attempting an intrusion are rather persistant. I'd rather spend more time shoring up other areas of potemtial vulnerability than devise a reverse scan method (except as an intellectual exercise). Simple Nomad // "When viewed as a metaphor for the human thegnome () nmrc org // condition, the humble GNU C compiler www.nmrc.org // becomes an endless enigma." On Sun, 14 Feb 1999, Lance Spitzner wrote:
On Fri, 12 Feb 1999, Simple Nomad wrote: Simple Nomad brings up an excellent point, if you counter scan everyone that scans you, you may be setting up yourself (and them) for a DOS attack. A simple way to fix that is to "counter scan" systems only once. I have my system setup to log all scan attempts. When I'm scanned a script looks for the $src_ip in the log file (via grep). If it does not find the $src_ip, then this is a new system and I gather some limited data. If $src_ip is found, then nothing is executed. Though not a perfect solution, it does solve several issues. My $0.02 at least :)I would like to somehow have nmap run a scan of my choosing on any hosts attempting a connect to any of my ports, either via tcpwrappers, or the firewall. Can someone either explain how to do this, or point me to the proper documentation/manuals, etc.. I've got an idea allready how to do it with tcpwrappers, but I draw a blank on doing it with the firewalled ports.If you are logging everything into a central file, run swatch (do a web search for it). It essentially runs a tail -f on a log file of your choosing and acts upon certain patterns of keywords etc. Being that it is script-based, you can easily parse the IP address from the log entry and do your thing.I'd like to have nmap log the remote OS, and do finger/smtp/ident/etc... scans on the remote machine. I am fairly familiar with nmap itself, so I can figure out that part, but how do I get the services to auto call nmap with the remote machines IP? Admittedly, I haven't searched for any docs on my system that might explain this allready... Feel free to point me to them or an FAQ however.Granted there are a few gotchas in this. Let's say I'm evil script kiddie and I'm running a firewalled system. I've been monitoring the nmap mailing list because I'm leet, and I'm taking notes on who is considering using "reverse scans" and the like. I carefully develop my list of reverse scanning folks and use that for my decoy locations. Now I scan each one of them with a few extra decoys thrown in. Of course my system is firewalling to simply not answer the probes I get from the reverse scan folks. This creates a storm of probe traffic as these systems go nuts scanning each other, thinking each other is a potential bad guy. At best, I manage to get a scan from all of these other machines and my IP is basically lost in the storm. At worse, all of these reverse scan boxes have filled up filesystems with huge logs, and have probably ran out of memory from repeated instances of nmap running. I personally know people who write down who reverse scans them, or get an automated finger if they are fingered etc, and then turn them loose on each other. So play nice, kids.... Simple Nomad // "When viewed as a metaphor for the human thegnome () nmrc org // condition, the humble GNU C compiler www.nmrc.org // becomes an endless enigma."Lance Spitzner http://www.enteract.com/~lspitz Internetworking & Security Engineer Dimension Enterprises Inc
Current thread:
- Scanning hosts connecting to a linuxbox. Mike A. Harris (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Rasmus Andersson (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Max Vision (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. ace24 (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- RE: Scanning hosts connecting to a linuxbox. Dragos Ruiu (Feb 13)
- <Possible follow-ups>
- RE: Scanning hosts connecting to a linuxbox. Brown, Mark (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Chris St. Clair (Feb 15)