On Sat, Jan 13, 2001 at 11:50:48AM -0500, Noah L. Meyerhans wrote:
> On Sat, Jan 13, 2001 at 05:15:30PM +0200, Konstantinos Margaritis wrote:
> <snip>
> > a thing. Is port-scanning considered vandalism? Should I report the
> > addresses to somewhere?
>
> This is a subject of debate in security circles. Some believe that
> portscanning is an indication of malicious intent and should be treated
> as such. Others believe that portscanning is harmless and merely a sign
> of curiosity. I fall into the latter category. I know my machines are
> secure;
The problem with this is that you can't prove a negative. You can prove
that you _have_ been broken into, but you cannot prove that you _haven't_.
The same is true for your machines. You can prove that they are not secure,
but you cannot prove with 100% assurance that they are secure.
> I go to great lengths to ensure that they don't expose any known
> weeknesses to the world.
This is the problem. They do not expose any known weakness. What about
unknown weaknesses? New ones are being discovered every day. They don't
just pop into existence when they are discovered. Someone usually knows
about it beforehand...
> If someone wants to portscan me, they're welcome to it.
I tend to think of portscanning as a possible precursor to an attack. Pings
are mostly benign, though portscans tend to be a little more information
than I feel comfortable giving out. The analogy of your house is the best I
have come across. Much like you would not want a total stranger coming up
to your house checking to see if the doors or windows are locked (or
peering into windows, for that matter), you probably should pay attention
to portscans.
> They'll find that there's not much of interest on my
> systems. I get portscanned a lot, but rarely attached. It seems like
> you're pretty aware of what's going on on your network and would notice
> if an attack was made. In that case, I wouldn't bother reporting a
> simple port scan.
I do agree that reporting a portscan is probably overkill. But you should
at least note where it is coming from and what they are scanning.
> > What makes me curious is the fact that no ip came from the same
> > geographical area. Literraly the ips resolved to machines from all the
> > continents of the world! As if I was under global attack! :-)
> > Of course these could be spoofed, but surely that is a really tough feat
> > just for port-scanning.
>
> It's also conceivable that the scanning machines were actually
> compromised themselves, and that the scanning was being done
> automatically in an attempt to find more target boxes.
Or it is possible to use spoofed addresses from most modern portscanners.
> > Lastly, what tool should be considered good for periodic checks on the
> > system files? tripwire? cops? i know tripwire is packaged but is there a
> > better alternative, tripwire being non-free and all that...
>
> Tripwire is no longer non-free. Version 2.3, a major update from the
> version available in Debian, has been released under the GPL. Go to
> www.tripwire.org to learn more. The files are available on sourceforge.
> It takes a while to build a good policy file, but it's very good at
> detecting system changes. 2.3 is also significantly faster than the old
> version.
Tripwire version 2.2.1 for Linux has been released to GPL and is available
from their website, http://www.tripwiresecurity.com. there is no listing
there of version 2.3, so 2.2.1 seems to be the latest and greatest.
There is also AIDE, the Advanced Intrusion Detection Environment, which is
also packaged.
--
--Brad
============================================================================
Bradley M. Alexander, CISSP | Co-Chairman,
Beowulf System Admin/Security Specialist | NoVALUG/DCLUG Security SIG
Winstar Telecom | [EMAIL PROTECTED]
(703) 889-1049 | [EMAIL PROTECTED]
============================================================================
If nothing ever sticks to Teflon, how do they make Teflon stick to the pan?
PGP signature