From owner-freebsd-questions  Mon Jul  2  2: 4:15 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from clientmail.realtime.co.uk (simian.realtime.co.uk [194.205.134.131])
	by hub.freebsd.org (Postfix) with ESMTP id 0663837B403
	for <freebsd-questions@freebsd.org>; Mon,  2 Jul 2001 02:04:12 -0700 (PDT)
	(envelope-from waynep@pan.realtime.co.uk)
Received: from [213.52.146.196] (helo=pan.realtime.co.uk)
	by clientmail.realtime.co.uk with esmtp (Exim 3.20 #1)
	id 15Gzcp-0007JW-01
	for freebsd-questions@freebsd.org; Mon, 02 Jul 2001 10:04:11 +0100
Received: from waynep by pan.realtime.co.uk with local (Exim 3.22 #1)
	id 15GzcI-0000S6-00
	for freebsd-questions@freebsd.org; Mon, 02 Jul 2001 10:03:38 +0100
From: Wayne Pascoe <wayne.pascoe@realtime.co.uk>
To: freebsd-questions@freebsd.org
Subject: Re: Port scanning
Date: 02 Jul 2001 10:03:37 +0100
Message-ID: <86ae2nog7q.fsf@pan.ehsrealtime.com>
Lines: 36
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Kelvin Ng Chee Hoong <nchee_hoong@pacific.net.sg> writes:

> Hi ;
>    I've enabled  TCP_DROP_SYNFIN and TCP_RESTRICT_RST options to against
> nmap and port scanning. To run the test , I ran nmap from another Linux
> machine . Although these two options have enabled ,  nmap still able
> scan through and list the state of  services are running.
>    Question :
> (1) How do I configure FBSD to against port scanning ?
> (2) Where log file is stored to capture the event of port scanning ?
> (3) How do I configure FBSD to send email alert or SMS once encountered
> port scanning action take place ?
>    Please advise .

I would advise that you run either an ipfw or an ipf firewall to
restrict services to your machine.

Run a DENY by default type setup, where you just bin packets without
sending a return. I don't know how to do this in ipfw but in ipf the
lines look something like

block in log on fxp0 from any to any

Then in /etc/syslog.conf add the following (ipf again)
!ipmon
*.*                           /var/log/ipf.log

This will cause all blocked packets to be logged in /var/log/ipf.log

HTH,

-- 
- Wayne Pascoe 
E-mail: wayne.pascoe@realtime.co.uk
Phone : +44 (0) 20 7544 4668
Mobile: +44 (0) 788 431 1675

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message