Hi, I hope this is the right list for such matters. Looking at my firewall computer's logs I noticed something strange. Random connections to specific ports (1, 21, 22, 23, 79, 98, 111) from 4 specific addresses. Each address tried to connect to subset of the ports. Thankfully, the firewall (ipchains-based) denied all of these connections. For those that passed the firewall, the daemons (ssh, ftp, I don't run telnet) refused connections themselves, as there was a hostname/ip address mismatch. I have denied all access to all 4 machines now, but I would like to know what is the proper process for such a thing. Is port-scanning considered vandalism? Should I report the addresses to somewhere? What makes me curious is the fact that no ip came from the same geographical area. Literraly the ips resolved to machines from all the continents of the world! As if I was under global attack! :-) Of course these could be spoofed, but surely that is a really tough feat just for port-scanning.
Lastly, what tool should be considered good for periodic checks on the system files? tripwire? cops? i know tripwire is packaged but is there a better alternative, tripwire being non-free and all that... Thanks for any help. Konstantinos Margaritis PS. I am not in the list, so I would appreciate it if you cc'd your replies to me.
