On Mon, 9 Jul 2001, Zachary Uram wrote:
> how can i tell if someone is fingering me?
you can have finger log connections, your kernel (or packet filter) log
connections, use tcpd to log connections ... any sort of mechanism.
> or if they are using netstat or traceroute on me?
netstat is a local operation. it wont tell you jack about sockets on other
machines unless you're connected to them. presumably you mean port
scanning (where they can see what ports are open on a remote machine, ie
yours). i use scanlogd (http://www.openwall.com/) on Linux and *BSD boxes.
a good NIDS can also pick up port scans, they're pathetically easy to
observe.
traceroute is pretty easy, too. look for TTL 1 packets, look for signature
UDP packets (UNIX traceroute) or TTL=1 ICMP_ECHO_REQUEST packets (from
Win32 traceroutes). again, a host can log TTl=1 packets, you can listen on
UDP ports that traceroute would normally hit (see also dettecttr from a
back issue of phrack).
hope this helps,
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
