Mario Olimpio de Menezes wrote: > > Hi, > > One computer where I have Debian installed was scanned > recently. Someone probed several ports (~20), maybe trying to determine > the running OS (something like nmap does). > Do you think this *IS* an attack? I mean, should I report this > as *AN* attack? > > []s, > Mario
as an admin of several networks connected to the net i usually do not report port scans to isps. if i see something suspicious i usually just firewall that ip or that subnet from connecting to me. my main server gets quite a bit of suspicious connection activity. some if it is really odd, like 50 connection attempts to port 5555 or something when there is nothing on that port. i use a program called SCANDETD, its a primative scan detection program that emails me when it detects scans. its far from perfect but honestly i really don't have the time to go through logs for insignificant things such as portscans on a regular basis. if you maintain a tight system there usually isn't much to worry about anyways. if your interested in scandetd the output looks like: Possible port scanning from lnxd105.szif.hu, I've counted 30 connections. First connection was made to 1524 port at Sun Nov 26 16:10:18 2000 Last connection was made to 1524 port at Sun Nov 26 16:10:18 2000 Probably it was SYN scan (0 FIN flags and 30 SYN flags) pretty cool prog. ive caught many things using it. its not very well known so it may not be on freshmeat.net .. if you want a copy of it i can try to dig up the source or the url for it, email me direct. .. nate -- ::: ICQ: 75132336 http://www.aphroland.org/ http://www.linuxpowered.net/ [EMAIL PROTECTED]
