mailing list archives
From: Security <security () securify darktech org>
Date: Wed, 24 May 2000 09:41:33 -0400 (EDT)
On Tue, 23 May 2000, Barry Hudson wrote:
As a new firewall admin I have a question for the white hats.
I log port scans and do a whois to locate the ISP that owns the ip
My questions is what else can/should be done. I have no other reason to
believe they got through or committed any crime. What else are you guys
doing? I hope this is not to far off topic..
First, I agree. I monitor connections/scans and log/check those who trip
I use http://www.arin.net/cgi-bin/queryinput=xxx.xxx.xxx.xxx to dump the
whois info for offending IPs. I need a better URL to show all domain infos
but it appears that internic has been divided into 100's of pieces.
A traceroute is good for incoming connects to verify them.
We do a nmap -sTUV -F -I -O $remote_ip just to get a hint at who is
scanning me. I also run portsentry (linked to nmap) to detect other ports
such as NetBus, BackOrifice, and the realated tools.
I keep my logs avaliable via my http server so anyone interested in why
they were scanned can see the reason and results.
A NETBIOS lookup is also a good idea if it is a windows box. Quite often
you get the name of the scanner or his system anyhow.
I post my inbound connects/return-scan(.sh)'s to an IRC channel so other
admins I know can keep tabs on them.
Slightly off topic... but:
Does fydor or anyone have a patch so I can specify a list of services
to check from a seperate file? such as nmap winboxen -from abused.portlist
? I would like to have a secondary services list of only trojans and
backdoors. I scan my LAN for trojans (Educational systems) but would like
to specify a large number of ports without actually editing nmap-services
Barry S. Hudson
Network Systems Manager
Fredericksburg Savings Bank
Business Email - bhudson () fsbnk com
All Other Email - barryhudson () compuserve com
This email is intended for the addressee only.
The material may be privileged and confidential information.
If you have received this email in error, please notify me immediately
by email and delete the original. Thank you.
security () securify darktech org <Mike>
[ All contents (c) SecuriFy, 1999-2000 Unless otherwise copyrighted ]
[ Please view our Disclaimer ]
- can/should Barry Hudson (May 23)