Why would one care about ho many ports get scanned as long as your rulesets cover the ones you care about + other ports discovered as you go. as long as you CYA, it wong get sunburned. ~piranha -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Raileanu Grigore Sent: Wednesday, June 09, 2004 3:32 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: port scan identification On Wed, 09 Jun 2004 11:33:59 +0200 Rakotomandimby Mihamina <rktmb.list@xxxxxxxxxx> wrote: > Hello > > I try to set correctly up my firewall ans would need your help on one > thing : > > I have this rule : > [...] > iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST \ > -j LOG --log-level debug --log-prefix 'p_scan_: ' > [...] > > and i see this when i tail the output file : > > [...] > Jun 8 22:52:32 milina kernel: p_scan_: IN=ppp0 OUT= MAC= > SRC=81.220.171.201 DST=81.248.95.56 LEN=40 TOS=0x00 PREC=0x00 TTL=54 > ID=45424 PROTO=TCP SPT=4391 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 > [...] > > Well . According to me, a port scan is the action to scan _all_ the > ports ... why is the port scan identified as only scaning the 80th port > ? I mean, a port scan should not be on one port only ... isn't it ? > > -- > Rakotomandimby Mihamina Andrianifaharana > Tel : +33 2 38 76 43 65 > http://stko.dyndns.info/site_principal/Members/mihamina > > Try to use psd , from patch-o-matic patches. http://www.iptables.org/downloads.html#pomng-20040302 You can create a rule like this: iptables -A INPUT -p ALL -m psd -j LOG --log-level DEBUG --log-prefix "PORTSCAN:" -- Best regards, Raileanu Grigore mail: grisha at unixro dot net phone: +40 742759147
