Is it possible to detect a portscan with nc or a socket listener?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I don't think you can detect a port scanning by having just one process listening on one port. However, some port scanners do scanning at application layer, for check what type of apache version do you have for example, but from the perspective of nc I don't think you can detect a port scanning just by having one process listening in one port. Probably if you launch multiple instances of nc on different ports you can do it for sure.
SYN scan is the default[...] It is also relatively unobtrusive and stealthy since it never completes TCP connections
[...]
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges.[...]
Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection. A decent IDS will catch either,[...]
What's a more basic way to log it rather than using an IDS? IE. there must be a way to do it with a single script, since an IDS doesn't have to be built into the kernel or anything.
Is there a pcap library for Python, that would detect syn traffic?
I'm sure there are. The key is to find something that lets you work with raw sockets, so can go beneath the TCP abstraction (AFAIK, pcap does allow this).
Last edited by ntubski; 02-19-2017 at 07:35 PM.
Reason: add link for raw sockets
I have the following but it seems to be picking up all traffic, rather than just port 5454, nor does the script show up on netstat on port 5454. (And it does seem to be detecting syn traffic).
Code:
import socket
try:
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
except socket.error as e:
print('Socket creation failed. Error Code {} Message {}'.format(str(e[0]),str(e[1])))
sys.exit()
#Include IP headers
server_address = ('11.11.11.11', 5454)
s.bind(('11.11.11.11', '5454'))
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
while 1:
packet = s.recvfrom(65565)
print(packet)
you can detect portscans using iptables, but you'd need to work around any current rules and use either the recent or limit modules. You can also mix in ipsets for more fun on it and iptables does have the ability to log activity too. It is the way I'd do it on a production server.
I'm sure there are. The key is to find something that lets you work with raw sockets, so can go beneath the TCP abstraction (AFAIK, pcap does allow this).
If you're talking about using accept_filter, that probably won't work because listen() needs to be called first. Especailly since it is a connectionless system (SYN / followed by reset).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
