Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: Re: can/should

Re: can/should

From: Security <security_at_securify.darktech.org>
Date: Wed, 24 May 2000 09:41:33 -0400 (EDT)

On Tue, 23 May 2000, Barry Hudson wrote:

> As a new firewall admin I have a question for the white hats.
> I log port scans and do a whois to locate the ISP that owns the ip
> address.
> My questions is what else can/should be done. I have no other reason to
> believe they got through or committed any crime. What else are you guys
> doing? I hope this is not to far off topic..

First, I agree. I monitor connections/scans and log/check those who trip
my security.
I use http://www.arin.net/cgi-bin/queryinput=xxx.xxx.xxx.xxx to dump the
whois info for offending IPs. I need a better URL to show all domain infos
but it appears that internic has been divided into 100's of pieces.

A traceroute is good for incoming connects to verify them.
We do a nmap -sTUV -F -I -O $remote_ip just to get a hint at who is
scanning me. I also run portsentry (linked to nmap) to detect other ports
such as NetBus, BackOrifice, and the realated tools.

I keep my logs avaliable via my http server so anyone interested in why
they were scanned can see the reason and results.
A NETBIOS lookup is also a good idea if it is a windows box. Quite often
you get the name of the scanner or his system anyhow.

I post my inbound connects/return-scan(.sh)'s to an IRC channel so other
admins I know can keep tabs on them.

Slightly off topic... but:
Does fydor or anyone have a patch so I can specify a list of services
to check from a seperate file? such as nmap winboxen -from abused.portlist
? I would like to have a secondary services list of only trojans and
backdoors. I scan my LAN for trojans (Educational systems) but would like
to specify a large number of ports without actually editing nmap-services
or services.

Thanx.

Mike

> Barry S. Hudson
> Network Systems Manager
> Fredericksburg Savings Bank
> www.fsbnk.com
> Business Email - bhudson_at_fsbnk.com
> All Other Email - barryhudson_at_compuserve.com
 
> This email is intended for the addressee only.
> The material may be privileged and confidential information.
> If you have received this email in error, please notify me immediately
> by email and delete the original. Thank you.

Nice disclaimer.

 security_at_securify.darktech.org <Mike>
 Security Admin
 SecuriFy

[ All contents (c) SecuriFy, 1999-2000 Unless otherwise copyrighted ]
[ Please view our Disclaimer ]
Received on May 24 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos