Re: Scanning hosts connecting to a linuxbox.

[Simple Nomad <thegnome () nmrc org>]

> I would like to somehow have nmap run a scan of my choosing on
> any hosts attempting a connect to any of my ports, either via
> tcpwrappers, or the firewall.
>
> Can someone either explain how to do this, or point me to the
> proper documentation/manuals, etc..  I've got an idea allready
> how to do it with tcpwrappers, but I draw a blank on doing it
> with the firewalled ports.

If you are logging everything into a central file, run swatch (do a web
search for it). It essentially runs a tail -f on a log file of your
choosing and acts upon certain patterns of keywords etc. Being that it is
script-based, you can easily parse the IP address from the log entry and
do your thing.

> I'd like to have nmap log the remote OS, and do
> finger/smtp/ident/etc... scans on the remote machine.
>
> I am fairly familiar with nmap itself, so I can figure out that
> part, but how do I get the services to auto call nmap with the
> remote machines IP?
>
> Admittedly, I haven't searched for any docs on my system that
> might explain this allready...  Feel free to point me to them or
> an FAQ however.

Granted there are a few gotchas in this. Let's say I'm evil script kiddie
and I'm running a firewalled system. I've been monitoring the nmap mailing
list because I'm leet, and I'm taking notes on who is considering using
"reverse scans" and the like. I carefully develop my list of reverse
scanning folks and use that for my decoy locations. Now I scan each one of
them with a few extra decoys thrown in. Of course my system is firewalling
to simply not answer the probes I get from the reverse scan folks. This
creates a storm of probe traffic as these systems go nuts scanning each
other, thinking each other is a potential bad guy. At best, I manage to
get a scan from all of these other machines and my IP is basically lost in
the storm. At worse, all of these reverse scan boxes have filled up
filesystems with huge logs, and have probably ran out of memory from
repeated instances of nmap running.

I personally know people who write down who reverse scans them, or get an
automated finger if they are fingered etc, and then turn them loose on
each other. So play nice, kids....

    Simple Nomad    //  "When viewed as a metaphor for the human
 thegnome () nmrc org  //    condition, the humble GNU C compiler
    www.nmrc.org    //         becomes an endless enigma."