port scan logs
Results 1 to 10 of 10

Thread: port scan logs

  1. #1
    Junior Member
    Join Date
    Jun 2002
    Posts
    4

    port scan logs

    What directory and log file do I find the port scanning activities? I have a red hat linux box and also win 2000. Please advise...Thanks

  2. #2
    Member
    Join Date
    May 2002
    Posts
    82
    I'm not sure exactly what you are asking...

    If you are asking about logs containing information about scans of your system (LAN), then you need to have more nfo for us to work with (ie. What type of firewall system(s) are you running?)

    If you are asking about logs containing information about scans that you have executed, then you need to have more nfo for us to work with as well (ie. What scanner(s) are you using?)

    Wish I could help, but the question was rather vague... Sorry.

    Rev
    Many will ask, \"Where do you want to go today?\" because they\'re still scratching for ideas.

    With *NIX, there\'s already a way. The sum of us just need roadmaps to get there.

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    logs in unix are generally in /var/log...

    In win2k, you can view logs with control panel | admin tools | event viewer (or just 'run eventvwr.exe') but you won't find anything about port scans there since w2k has now firewalling tool... (well, there is IPSec but I don't think it logs anything.. AFAIK)

    Ammo
    Credit travels up, blame travels down -- The Boss

  4. #4
    Junior Member
    Join Date
    Jun 2002
    Posts
    4
    Rev,

    I mean the logs containing info about scans of my system.

    You see, I port scanned my linux box to check if I have open ports. Then, I tried looking at the /var/logs directory on my linux box but can't find any logs of the port scan activities I did on it.

    Please shed more light in to this. Thanks

  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    /var/logs/messages for a default installation of redhat, use the grep command with the name of your IDS program, that generally does the trick. However, some IDS progs use their own log files to do it. You need to RTFM, or if it's a little known proggy then ask the programmer. They usually are very helpful..

    And as for Win2k...... event manager in administrative tools or the specific proggy that you use as an IDS.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Uh? Pinoy's number of posts reads 'one', while he made two posts to this thread alone :?
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  7. #7
    Junior Member
    Join Date
    Jun 2002
    Posts
    4
    KorpDeath,

    Thanks for the info. I found out that the /var/log/messages file does not report the scans attempted at closed ports. Only open ports. I pressumed it would log the closed ports too. Guess not. That's the end of that experiment.

    As for w2k, I see in the event viewer that the security log files are off by default?!!! Hmmm...that's wierd! Anyway, how do I start security logging?

  8. #8
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    No Guus, it reads two, but he has three posts here

    pinoy> I believe that it is one of the services that you can manually start.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  9. #9
    er0k
    Guest
    i dont understand your question, mainly because ive never heard of windows coming with a scanner. But in your scanner you usually find your logs under tools. from what ive seen.

  10. #10
    Junior Member
    Join Date
    Sep 2001
    Posts
    6
    To turn on security logging

    Click Start, click Run, type mmc /a, and then click OK.
    On the Console menu, click Add/Remove Snap-in, and then click Add.
    Under Snap-in, click Group Policy, and then click Add.
    In Select Group Policy Object, click Local Computer, click Finish, click Close, and then click OK.
    In Local Computer Policy, click Audit Policy.
    Where?

    Local Computer Policy
    Computer Configuration
    Windows Settings
    Security Settings
    Local Policies
    Audit Policy
    In the details pane, click the attribute or event you want to audit.
    Click Action, and then click Security.
    In Local Security Policy Setting, click the options you want, and then click OK.
    Repeat steps 6, 7, and 8 for other events you want to audit.
    Notes

    You must be logged on as an administrator or as a member of the Administrators group to turn on security logging. Group Policy is available only to administrators.
    If you have previously saved a console with Group Policy, you can open the saved console and go to step 5.
    If your computer is connected to a network, security logging may be restricted or disabled by network policy.
    The security log is limited in size, so carefully select the events to be audited and consider the amount of disk space you are willing to devote to the security log. For information about changing the log size, see Related Topics.
    This procedure applies to Windows 2000 Professional computers, as well as Windows 2000 Server computers running as stand-alone servers or member servers. To turn on security logging for a domain controller, see Related Topics.
    If security auditing has been enabled on a remote machine, you can view the event logs remotely with Event Viewer. Open an MMC console in author mode, and add Event Viewer to the console. When prompted to specify which computer the snap-in will manage, click Another computer and enter the name of the remote computer.
    Security auditing for workstations, member servers, and domain controllers can be enabled remotely only by domain administrators. To do that, create an Organization Unit (OU), add the desired machine account(s) to the OU, and then, using Active Directory Users and Computers, create policy to enable security auditing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides