Who's Scanning My Box?

saurus asks: "A fellow *nix person says I probably get scanned everyday. I say, "No way -- I'd know!" Uhm, actually, if I sat on my box all day running sniffit+netstat+iptraf I might. Could you share a low maintenance monitoring [Open Source] solution ? How would it fare against stealth probes? "

watching them watching me.

The simplest method is to do a continous tcpdump and then use the shadow package from U.S. Naval Research (yes, its GPLed) to analyse everything. Alternatively you can just log everything with paranoid options on in your syslog..i.e. debug mode or something. your logs usually detail any such things.

Re:watching them watching me.

[guenth]

I like tcpwrappers. They not only allow you to restrict where people connect from, they can also be configured to send you mail if you have people try to connect from sites you have blocked. In my case I block everything but my ISP and my office. Wrappers can be easily configured for all services that run from inetd.

firewall + logging

[embobo]

Setup your firewall to log all packets it denies (or log all packets period). This creates a possible DOS atttack, however. Then write a perl script that parses the log file and produces reports based on src ip or whatever you want to group by.

Firewalling

[starslab]

I don't know how well this would deal with stealth scans, but I run a firewall on my FreeBSD box. It doesen't do much other than cover up Samba against outside hosts.

However, There are a whole ton of ports I never ever use, including telnet, and many others. I have my firewall set to leave these packets alone, BUT TELL ME WHEN IT GETS THEM. This means a scanner doesent know he's been seen, and I get my daily security mailing with any losers who are portscanning me. Then I just toss 'em in /etc/ip.hostile and sh /etc/rc.firewall

For those running a FreeBSD box that's reasonably recent, here's the commands I use on my 3.2-RELEASE machine

in /etc/rc.firewall
$fwcmd add allow log tcp from any to $ip 23

Change allow to deny depending on your policy ( mine's a fairly insecure default allow ) and tcp/udp and ports as needed. I log 4 tcp ports and only 1 udp port, which I should probably fix.

"Binaries may die but source code lives forever"
-- Unknown

SkyHawk
Andrew Fremantle

Re:Firewalling

[yabHuj]

Do firewalling - and deny every incoming packet which has no ACK bit set (i.e. "answer" packets).
So noone can access your server/network. You may have to drill some holes in the high port range for FTP, though...

Log all failures - and you have all "sniffing" attempts logged. It is that simple... ;-)

Portsentry + Logcheck

[Atypical+Stranger]

Portsentry + logcheck availible at www.psionic.com will probably fit most of your needs. Portsentry checks for people scanning your computer in a myriad of ways and logcheck mails you when something goes wrong.
Now for the bad news, the licence isn't the best. It appears to be free to use (commercial or private) and while the source could is distributed and you can modifiy it you can not distribute those modifications. The worst aspect may be the words "Some of the software at this site is PATENT PENDING."
I've used these programs for several months now and been satisfied but if someone knows of a similar program with a nicer licence please let us all know.

Nabbing the scanners

[HiRezathome]

There's a tool in the FreeBSD ports collection called 'clog' - this logs all connection attempts
to a specified interface. A fine lump of software.

Scanlogd. It's simple.

[Wakko+Warner]

This was posted on bugtraq a while back. I've found it to be *very* effective and informative -- it'll even tell you the flags given to nmap.

Get the source here. Yes, it really is just one C file.

-A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Listen and Tease

• If you really want to monitor safely, put a hub on your Internet link outside the firewall and have a separate box doing the monitoring. That box does not need to send anything, so if you want you can use an AUI adapter and don't connect the Transmit part of the cable. You can have its reports sent through a serial cable to one of your other boxes (avoid networking for this).
• Install the Deception ToolKit on your unused IPs. These are scripts that make scanners think there is something open, and let humans waste their time attempting to find data which is interesting. Give the script kiddies something interesting to waste their time on while your alarms are sounding.

Re:Listen and Tease

Remember to install service 365 on all your systems. That announces to those in the know that you are running the Deception ToolKit. Even if you are not.

Sample output:

[Wakko+Warner]

Aug 14 20:26:22 tettie-gw scanlogd: From 24.66.216.6 to 167.206.46.15 ports 6670, 1243, 21554, 1080, 20034, 40421, 31338, 31785, 5400, ..., flags fSrpau, TTL 50, started at 20:26:22
Aug 17 05:21:45 tettie-gw scanlogd: From 209.30.64.27 to 167.206.46.15 ports 12345, 30100, 20034, 1243, 55555, 54321, 6670, 1257, 30303, ..., flags fSrpau, TOS 00, TTL 21, started at 05:21:45

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Included in SuSE

[jfunk]

It's in the SECurity diskset of SuSE. If it's installed, it'll start up on boot, no user intervention required.

I haven't been portscanned in over a month, I don't get portscanned very often. The last time I was portscanned, the little fscker tried to ADMmountd me.

He failed, of course. I also reported him to his ISP (cable provider in Georgia). I couldn't find their AUP, but my provider (RoadRunner in Newfoundland) responds to that stuff with a termination of service, as I told his ISP. I'm guessing (based on much experience) that he's using daddy's computer and cable modem. Daddys don't appreciate their punk kids getting their service terminated (lost email address).

Usually they give up after the ADMmountd fails, because anything else requires you to actually learn something.

As for portscans themselves, they're not as dangerous as people might think. The article where scanlogd was first posted explains all that (I forget where I read it, though). Just because someone portscans doesn't mean they're a script-kiddy. Nmap is a great tool to find out if a certain port that should be open is, in fact open. I used it to find out what ports are filtered by RoadRunner (web, ftp, X (I have to use VNC instead), SMTP (damn)). It can also be used by an ISP as an impromptu way of finding out what percentages of their users are running what OS.

Snort+tcp wrappers

[Omegaman]

For actually detecting scans, tcp wrappers comes in handy as does a sniffer called snort. Snort allows you to write rulesets -- and several people have -- to watch and detect activity on your network. Check it out at http://www.clark.net/~roesch/security.html

Re:Syslog bad. Netlink good.

[vectro]

It's worth pointing out that such activity can be dangerous, because an attacker may be using a spoofed IP. I've seen setups where a spoofed attack from the gateway will cut off the machine.
You should always do some sanity checking first, if you are planning to take automated checking.

Also, I believe you can tell tcpdump to read /dev/netlink, by telling it to pick up the raw packet output of another tcpdump session. Or you could just run tcpdump and give it filter rules equivelent to what ipchains will block.

Syslog bad. Netlink good.

DoS indeed. Kiddies that scan my boxes throw thousands of packets at it in the course of checking EVERY damned port on the thing. syslog throws a serious fit when you slam it with that much crap. The solution? The netlink device!

In 2.2/2.3 kernels, just turn on CONFIG_IP_FIREWALL_NETLINK and CONFIG_NETLINK. Then recompile and reboot and all of that ... then make the device itself (mknod /dev/firewall c 36 3) and finally edit your ipchains lines...

The basic idea is to throw the headers from rejected crap at the netlink. So stick "-o 128" on the ipchains lines that deal with things you want to hear about.

NOW the fun part comes. Get a good book on TCP/IP (Stevens, ahem), write a loop to read /dev/firewall, and parse it according to the headers as documented in the book.

What happens now is up to you. I recommend tracking the stuff and logging a generic message *once* per lamer that's scanning you. You can even get creative and add a DROP rule for the twit to thwart any future checking. Just system() out to ipchains and be done with it.

What about windows victims?

[SupremeOverlord]

As a gamer, it is necessary for me to have Winblows 98 installed on one partition of one of my computers, just so I can play games that don't work with WINE for whatever reason. All of these options look great for my linux systems, but what about Windows? Is there anything at all out there that resembles a port scanner detector for windows?

SupremeOverlord

Re:What about windows victims?

[grrlfox]

There's a wonderful tool for windows users called NukeNabber. It will block most DoS attacks and portscanning activity, though your connection could still be flooded off. You can find it here. It saved me MUCH grief once I started using it several versions ago.