Mart Frauenlob wrote: > On 25.01.2010 19:49, netfilter-owner@xxxxxxxxxxxxxxx wrote: > >> On 25/Jan/10 18:32, J. Bakshi wrote: >> >>> I have collected the iptables log against nmap scan. Like >>> >>> [omitted almost identical log lines] >>> >>> Can I make rule-set to prevent the above scan from the info collected >>> at the log ? >>> Kindly enlighten me. Then I can make more rule sets from the log. >>> >> I'm not an nmap expert, but AFAIK nmap is designed to avoid just that. I >> have installed some logging iptables rules, similar to the ones in your >> previous message (from Arno's iptables scripts, IIRC) and sometimes some >> of them fire, presumably because inappropriate flags had been given to >> nmap. >> >> To recognize a scan, one may look at almost simultaneous TCP syn >> occurring to several nearby ports/ addresses, and not followed by an >> ack. This would require specific connection tracking code that I've >> never heard about. At any rate, you /have/ to respond to syn requests, >> because they may be legit. You may recognize that they were scans by >> analyzing the logs some time later, presumably for banning the relevant >> IPs from further accessing your server... >> >> > > I have not tried them yet, but there is are extensions in > xtables-addons. Might worth trying: > > Thanks for the info. Is there anyone already working with the module ? Please share your experience. Thanks -- জয়দীপ বক্সী -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
