On 25/Jan/10 18:32, J. Bakshi wrote:
I have collected the iptables log against nmap scan. Like [omitted almost identical log lines] Can I make rule-set to prevent the above scan from the info collected at the log ? Kindly enlighten me. Then I can make more rule sets from the log.
I'm not an nmap expert, but AFAIK nmap is designed to avoid just that. I have installed some logging iptables rules, similar to the ones in your previous message (from Arno's iptables scripts, IIRC) and sometimes some of them fire, presumably because inappropriate flags had been given to nmap.
To recognize a scan, one may look at almost simultaneous TCP syn occurring to several nearby ports/ addresses, and not followed by an ack. This would require specific connection tracking code that I've never heard about. At any rate, you /have/ to respond to syn requests, because they may be legit. You may recognize that they were scans by analyzing the logs some time later, presumably for banning the relevant IPs from further accessing your server...
HTH -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
