> Just a quick question regarding port scanning, how do you tell that you have
> been scanned
> I assume it shows up in the log files.
not necessarily. if you are running tcplogd (from the iplogger package)
then you get a line like below for every tcp (this does NOT get ucp or
icmp packets) connection to your host:
Feb 25 01:12:01 badger tcplogd:
smtp connection attempt from nowhere.org
tcpwrappers will also log connections to services and attempt to ident the
user at the host the request came from (though ident requests are easily
forged).
Feb 22 12:19:50 badger wu-ftpd[5222]:
connect from [EMAIL PROTECTED]
the only *real* way to enable firewalling in your kernel and write a
firewall using ipfwadm. the key for logging is a line like this at the
end of your allow list:
ipfwadm -I -a deny -S $ANYWHERE -D $HOST -o
where $ANYWHERE = 0.0.0.0/0 and $HOST = your ip
with this setup you can log basically any connection, and in fact if you
want to can even log traffic that was broadcast on the same segment but
wasn't actually for you (so you can watch for people sending RFC1918
addresses).
> Alos if you decide to implement a firewall then you might want to check
> out TIS at www.tis.com (if i remember correctly) as the do a free
> firewall toolkit, you may also want to check out the socks package as
> well.
the tis stuff and socks isn't really for protecting a host, they are for
protecting a network behind a host which is acting as a
router/gateway/proxy.
adam.
------------------------ Internet Alaska -------------------------
4050 Lake Otis Adam Shand (v) +1 907 562 4638
Anchorage, Alaska Systems Administrator (f) +1 907 562 1677
----------------- http://larry.earthlight.co.nz ------------------
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] .
Trouble? e-mail to [EMAIL PROTECTED] .
