Re: Nmap and xlogmaster

[Lamont Granquist <lamontg () raven genome washington edu>]

On Thu, 28 Jan 1999, HD Moore wrote:
> nmap.  A setup that works decently is creating lockfiles for each
> incoming hosts IP address, which would stop the same hosts  (or
> 'unknown') from being scanned repeatedly.  A cron script that removes
> these files after a certain interval (a day or so) would supplement
> this.  Even if you are getting synflooded or scanned the script would
> only try to scan back if the 'unknown' lockfile didnt already exist,
> keeping your system from eating itself.  The setup I am currently using
> does the usual safe_finger check, and RPC check, and finally a NetBIOS
> table dump for each incoming host, using the lockfile method for
> stopping repeated scans of the same host. Anyways, just some things I
> found from experience.

I did something similar for capturing phf + friends queries on our
webservers.  The script does a safe_finger, a traceroute, and connects
to systat.  It chokes itself by writing a file to /tmp with the host ip
address and the time() stamp.  The script itself deletes the line in /tmp
if it goes over a certain number of mins.  This script is still vulnerable
to someone doing something dumb like spoofing massive #'s of different IP
addresses, but this hasn't been a problem...

-- 
Lamont Granquist                       lamontg () raven genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka