LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-02-2012, 02:07 AM   #1
eagerlearner
LQ Newbie
 
Registered: Aug 2007
Posts: 15

Rep: Reputation: 0
Question How to detect port scanning application installed ?


Hi all

I have a server which I manage with SSH. There are a few times that my server firewall blocked my IP because it detected my pc is doing port scanning on the server. So I would like to identify if there's any port scanning application installed in my openSuSe, which made port scanning to the server. So how can I identify this ? using netstat to detect outgoing traffic from my pc ?

Thanks
 
Old 04-02-2012, 04:37 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
To be sure I have this correct, you have a server that has blocked your PC because of port scanning based upon IP address.
1 - Do the server and PC have public facing IP addresses or is this completely on a private LAN?
2 - If they have public IP addresses, is your PC static or Dynamic. In other words, could someone else have had your IP address and used it to scan, which caused you to get banned?
3 - what application are you using to perform the blocking and is it temporary or permanent?
4 - are you running any server applications on your PC that could have contributed to a vulnerability?
5 - can you correlate the time stamps from the logs to verify that your PC was on and had Internet access at the time.
6 - have you run any tools like nmap against your server from your PC which can appear as port scanning.

Now, with regards to checking your PC, the first thing I would do is watch and examine the network connections to see if anything is at work. While your doing this, you should NOT be doing general web browsing because this will open a lot of misc connections, mostly from ads. Second, look at the process tree to see what is running on your system. Three, look for any hidden files, especially in strange areas like /tmp, or /dev.

Here is a link to the CERT intruder detection checklist. I am posting a link to it because I think it describes some tests you want to run. In particular, you will also want to examine your cron tables very carefully because such an application may wake up periodically.

Here is a set of commands that will give you the process tree and help you examine the cron tasks. The other commands, such as finding files, are contained in the CERT checklist that I linked to above:
Code:
ps acxfwwwe,  ls -al /var/spool/cron, netstat -anpe
 
1 members found this post helpful.
Old 04-02-2012, 06:18 AM   #3
eagerlearner
LQ Newbie
 
Registered: Aug 2007
Posts: 15

Original Poster
Rep: Reputation: 0
Hi,

Thanks for your generous reply.

1 - Do the server and PC have public facing IP addresses or is this completely on a private LAN?
The server, Yes, it's a VPS server with public IP. For local PC, it's behind the router with LAN IP.

2 - If they have public IP addresses, is your PC static or Dynamic. In other words, could someone else have had your IP address and used it to scan, which caused you to get banned?
The server IP is static, while the PC is dynamic.

3 - what application are you using to perform the blocking and is it temporary or permanent?
The blocking was done by the preinstalled Cpanel program in the server,
server log
Apr 1 17:50:37 lfd[26288]: *Port Scan* detected from 123.123.123.123 (CountryCode/MyCountry/-). 11 hits in the last 291 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]
Hmn, seemed like it was due to the Login Failure Daemon (lfd), I remembered I was login in to the Mysql server using the Mysql WorkBench and had failed a few times. But I did not do till 11 hits.


4 - are you running any server applications on your PC that could have contributed to a vulnerability?
I am running apache, mysql server. But I don't think this has caused the issue on the server.

5 - can you correlate the time stamps from the logs to verify that your PC was on and had Internet access at the time.


6 - have you run any tools like nmap against your server from your PC which can appear as port scanning.
Not, I did not.

I will check others when I get to my PC

Thanks.
 
Old 04-02-2012, 10:41 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by eagerlearner View Post
Hi,
Apr 1 17:50:37 lfd[26288]: *Port Scan* detected from 123.123.123.123 (CountryCode/MyCountry/-). 11 hits in the last 291 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]
Hmn, seemed like it was due to the Login Failure Daemon (lfd), I remembered I was login in to the Mysql server using the Mysql WorkBench and had failed a few times. But I did not do till 11 hits.
You could be having a false positive type issue where your activity or login is mimicking a port scan. My initial thought was that the application is most likely looking at various logfiles and using a REGEX match against certain keywords, but it looks like LFD also takes into account port information, which could explain the error.

Have a look at this thread please. I am wondering if the LFD is interpreting your MySQL Workbench traffic as a port scan. You might want to take a look at the port used, your lfd log to correlate ports and access times, and then if it looks to be the issue, whitelist the port in your configuration file.
 
Old 04-02-2012, 09:45 PM   #5
eagerlearner
LQ Newbie
 
Registered: Aug 2007
Posts: 15

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Noway2 View Post
I am wondering if the LFD is interpreting your MySQL Workbench traffic as a port scan.
Yes, your wondering is right

It was due to my pc IP had changed and no longer in the allowed host to access MySQL server, so when I tried to login with Mysql Workbench, it fail and if I try few more time, my server will log the same error of port scanning had happened.

Thanks
 
  


Reply

Tags
detect, port, scanning


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Detect port scanning without psad - write own IDS wakatana Linux - Networking 1 10-05-2010 08:28 PM
Scanning the PCI config space from a C application L2S Programming 1 02-25-2009 09:12 AM
Port scanning? muppski Linux - Security 6 07-01-2005 05:44 PM
port scanning johncla Linux - Networking 1 05-02-2001 03:09 AM
Port Scanning tfrye Linux - Security 2 03-24-2001 09:43 AM


All times are GMT -5. The time now is 11:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration