Re: Scanning hosts connecting to a linuxbox.

[Lance Spitzner <spitzner () dimension net>]

On Fri, 12 Feb 1999, Simple Nomad wrote:

Simple Nomad brings up an excellent point, if
you counter scan everyone that scans you, you may be
setting up yourself (and them) for a DOS attack.  A simple way 
to fix that is to "counter scan" systems only once.

I have my system setup to log all scan attempts.  When I'm scanned
a script looks for the $src_ip in the log file (via grep).  If it does
not find the $src_ip, then this is a new system and I gather
some limited data.  If $src_ip is found, then nothing is executed.
Though not a perfect solution, it does solve several issues.

My $0.02 at least :)

> > I would like to somehow have nmap run a scan of my choosing on
> > any hosts attempting a connect to any of my ports, either via
> > tcpwrappers, or the firewall.
> >
> > Can someone either explain how to do this, or point me to the
> > proper documentation/manuals, etc..  I've got an idea allready
> > how to do it with tcpwrappers, but I draw a blank on doing it
> > with the firewalled ports.
>
> If you are logging everything into a central file, run swatch (do a web
> search for it). It essentially runs a tail -f on a log file of your
> choosing and acts upon certain patterns of keywords etc. Being that it is
> script-based, you can easily parse the IP address from the log entry and
> do your thing.
>
> > I'd like to have nmap log the remote OS, and do
> > finger/smtp/ident/etc... scans on the remote machine.
> >
> > I am fairly familiar with nmap itself, so I can figure out that
> > part, but how do I get the services to auto call nmap with the
> > remote machines IP?
> >
> > Admittedly, I haven't searched for any docs on my system that
> > might explain this allready...  Feel free to point me to them or
> > an FAQ however.
>
> Granted there are a few gotchas in this. Let's say I'm evil script kiddie
> and I'm running a firewalled system. I've been monitoring the nmap mailing
> list because I'm leet, and I'm taking notes on who is considering using
> "reverse scans" and the like. I carefully develop my list of reverse
> scanning folks and use that for my decoy locations. Now I scan each one of
> them with a few extra decoys thrown in. Of course my system is firewalling
> to simply not answer the probes I get from the reverse scan folks. This
> creates a storm of probe traffic as these systems go nuts scanning each
> other, thinking each other is a potential bad guy. At best, I manage to
> get a scan from all of these other machines and my IP is basically lost in
> the storm. At worse, all of these reverse scan boxes have filled up
> filesystems with huge logs, and have probably ran out of memory from
> repeated instances of nmap running.
>
> I personally know people who write down who reverse scans them, or get an
> automated finger if they are fingered etc, and then turn them loose on
> each other. So play nice, kids....
>
>     Simple Nomad    //  "When viewed as a metaphor for the human
>  thegnome () nmrc org  //    condition, the humble GNU C compiler
>     www.nmrc.org    //         becomes an endless enigma."

Lance Spitzner
http://www.enteract.com/~lspitz
Internetworking & Security Engineer
Dimension Enterprises Inc