Linux Security HOWTO : Network Security : SATAN, ISS, and Other Network Scanners : Detecting Port Scans
Previous: SATAN, ISS, and Other Network Scanners
Next: sendmail, qmail and MTA's

8.5.1. Detecting Port Scans

There are some tools designed to alert you to probes by SATAN and ISS and other scanning software. However, liberal use of tcp_wrappers, and make sure to look over your log files regularly, you should be able to notice such probes. Even on the lowest setting, SATAN still leaves traces in the logs on a stock Red Hat system.

There are also "stealth" port scanners. A packet with the TCP ACK bit set (as is done with established connections) will likely get through a packet-filtering firewall. The returned RST packet from a port that _had no established session_ can be taken as proof of life on that port. I don't think TCP wrappers will detect this.


Linux Security HOWTO : Network Security : SATAN, ISS, and Other Network Scanners : Detecting Port Scans
Previous: SATAN, ISS, and Other Network Scanners
Next: sendmail, qmail and MTA's