[ILUG] Detecting a port scan attempt on my machine.

[Paul J Collins]

>>>>> "DD" == David Dorgan <dorgand at eircom.net> writes:

    >> This is where you find, read and implement the Firewalling HOWTO.

    DD> The issue here is not Firewalling....it is detecting scans.
    DD> As regards Firewalling...if I have a router and put a deny all
    DD> and leave port 80 open, a host program will not inform you of
    DD> a portscan...therefor Firewalling is useless in this case at
    DD> least.

Which you can do with iptables/ipchains *without* having unnecessary
open ports that the whole world can see.

    >> Of course, you still have to ensure that the applications
    >> running on the still-open ports are up to date.

    DD> Once again off the point.

Not if some random script kiddie is running exploits against your open
ports, such as maybe your httpd or your sshd

    >> I believe there is a way to get Portsentry to use ipchains to
    >> block IPs that are port-scanning you, which may be helpful.

    DD> The point being made is that showing open ports and setting
    DD> off alarm bells and exploits flying at you is the wrong
    DD> thing...transparent yet clearly viewable logging of such
    DD> events is what is needed.

Well, duh.  That's why I brought up firewallling in the first place:
you can drop and log packets without ever giving any indication that
they were received.  You get the best of both worlds: no spurious open
ports, and you can see when you're being scanned.

-- 
"Pity has no place at my table."
      -- Dr Hannibal Lecter