Around Mon,Oct 14 2002, at 02:03, Sven Schuster, wrote: > Hello everybody, > are down and the default policy is ACCEPT. But when I put in all my > rules, the scanlogd doesn't log any portscans from the internet. I think > that is because the packets are already dropped in the kernel by the > iptables module, am I right?? > > And know my question is if there's a chance to log portscans (maybe also > the different kinds??) via some iptables-rules, an extra iptables-module > or any other tool?? I hope that somebody knows something about it, > because I think it's very nice to see how much people try to find holes > in any system...it's already quite interesting to review the Apache-Logs > everyday, with peoples thinking there's an IIS running on my system :-))) use the logging feature. iptables -I INPUT -t tcp -j LOG --log-prefix "IPTABLES-IN " would log *any* inbound tcp connection to syslog. Including traffic you have created (the return of an HTTP or FTP session) You could pick a couple of ports and set logging on those ports: iptables -I INPUT -t tcp --dport 80 -j --log-prefix "IPTABLES-IN " would log any ports that attempt a scan of your port 80. Your outbound HTTP would not be picked up by this. I use IN as part of my INPUT log prefix, and OUT as part of my OUTPUT log prefix, it makes it easier to track. Roger -- roger@efn.org
