RE: Detected NMAP scan

[<joff () newmonics com>]

I've written a small (~30) line patch to the linux 2.0 kernel that
detects and masq's all scans, (stealth, half-open, etc) and blocks them
in mid scan so the attacker does not see any ports open.  Take a look:
http://www.geek-girl.com/bugtraq/1998_3/0008.html.

//Jesse Off

On Wed, 6 Jan 1999, Frank W. Keeney wrote:

> I get scanned at least ten times a week!
>
> With the 1.x versions of nmap, Linux ipfwadm successfully logged all
> stealth scans in my lab.
>
>       ----------
>       From:  Lamont Granquist
> [SMTP:lamontg () raven genome washington edu]
>       Sent:  Wednesday, January 06, 1999 12:40 PM
>       To:  nmap-hackers () insecure org
>       Subject:  Detected NMAP scan
>
>
>       So, on Jan 3rd a machine that I admin got scanned, and with the
> ipfw.c
>       hack that I posted previously, I recorded the following packets,
>       suggesting that it was someone with nmap2.  I thought I'd post
> it here as
>       a sighting of nmap "in the wild":
>
>       Jan  3 04:16:14 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
> 148.81.145.199:62233 192.168.0.1:80
>       Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
> 148.81.145.199 192.168.0.1
>       Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
> 148.81.145.199 192.168.0.1
>       Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
> 148.81.145.199 192.168.0.1
>       Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
> 148.81.145.199:62234 192.168.0.1:80
>       Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
> 148.81.145.199:62235 192.168.0.1:80
>
>       I've also identified people doing SYN scans of port 635 which is
> where
>       mountd often/normally resides on a linux system.
>