Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
A LAND attack sets the source and destination address and port to the same. Might be the device doing NAT has trouble detecting what's legitimate traffic and what not. Same for your "FIN Scan" alert, TCP stream analysis with Wireshark should prove it to be a router detection error. Personally I'd always disable any scan detection or packet inspection on routers with low specs, favoring user land tools instead for accuracy and performance reasons.
When I compare this with other wireshark captures that contain http [FIN, ACK], they seem to be acknowledged. Lack of acknowledgement might be the cause of the problem (but my knowledge is too limited to be sure).
So, now I'm curious about the way forward.
PS the scans happen a couple of times aday and only while browsing the web (browser used is firefox 17.0.1)
Last edited by Wim Sturkenboom; 12-20-2012 at 12:45 PM.
Yes, your computer is communicating with an HTTP server and eventually tries to end the connections gracefully with FINs. However, the server isn't responding to them so your computer continues to resend the FINs until it gives up. It doesn't look like a FIN scan at all to me.