June 7th, 2002, 05:01 AM
port scan logs
What directory and log file do I find the port scanning activities? I have a red hat linux box and also win 2000. Please advise...Thanks
June 7th, 2002, 05:53 AM
I'm not sure exactly what you are asking...
If you are asking about logs containing information about scans of your system (LAN), then you need to have more nfo for us to work with (ie. What type of firewall system(s) are you running?)
If you are asking about logs containing information about scans that you have executed, then you need to have more nfo for us to work with as well (ie. What scanner(s) are you using?)
Wish I could help, but the question was rather vague... Sorry.
Many will ask, \"Where do you want to go today?\" because they\'re still scratching for ideas.
With *NIX, there\'s already a way. The sum of us just need roadmaps to get there.
June 7th, 2002, 06:42 AM
logs in unix are generally in /var/log...
In win2k, you can view logs with control panel | admin tools | event viewer (or just 'run eventvwr.exe') but you won't find anything about port scans there since w2k has now firewalling tool... (well, there is IPSec but I don't think it logs anything.. AFAIK)
Credit travels up, blame travels down -- The Boss
June 7th, 2002, 06:42 AM
I mean the logs containing info about scans of my system.
You see, I port scanned my linux box to check if I have open ports. Then, I tried looking at the /var/logs directory on my linux box but can't find any logs of the port scan activities I did on it.
Please shed more light in to this. Thanks
June 7th, 2002, 06:48 AM
/var/logs/messages for a default installation of redhat, use the grep command with the name of your IDS program, that generally does the trick. However, some IDS progs use their own log files to do it. You need to RTFM, or if it's a little known proggy then ask the programmer. They usually are very helpful..
And as for Win2k...... event manager in administrative tools or the specific proggy that you use as an IDS.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
June 7th, 2002, 09:17 AM
Uh? Pinoy's number of posts reads 'one', while he made two posts to this thread alone :?
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
June 7th, 2002, 09:28 AM
Thanks for the info. I found out that the /var/log/messages file does not report the scans attempted at closed ports. Only open ports. I pressumed it would log the closed ports too. Guess not. That's the end of that experiment.
As for w2k, I see in the event viewer that the security log files are off by default?!!! Hmmm...that's wierd! Anyway, how do I start security logging?
June 7th, 2002, 02:33 PM
No Guus, it reads two, but he has three posts here
pinoy> I believe that it is one of the services that you can manually start.
\"Ignorance is bliss....
but only for your enemy\"
June 13th, 2002, 06:06 AM
i dont understand your question, mainly because ive never heard of windows coming with a scanner. But in your scanner you usually find your logs under tools. from what ive seen.
June 14th, 2002, 01:52 PM
To turn on security logging
Click Start, click Run, type mmc /a, and then click OK.
On the Console menu, click Add/Remove Snap-in, and then click Add.
Under Snap-in, click Group Policy, and then click Add.
In Select Group Policy Object, click Local Computer, click Finish, click Close, and then click OK.
In Local Computer Policy, click Audit Policy.
Local Computer Policy
In the details pane, click the attribute or event you want to audit.
Click Action, and then click Security.
In Local Security Policy Setting, click the options you want, and then click OK.
Repeat steps 6, 7, and 8 for other events you want to audit.
You must be logged on as an administrator or as a member of the Administrators group to turn on security logging. Group Policy is available only to administrators.
If you have previously saved a console with Group Policy, you can open the saved console and go to step 5.
If your computer is connected to a network, security logging may be restricted or disabled by network policy.
The security log is limited in size, so carefully select the events to be audited and consider the amount of disk space you are willing to devote to the security log. For information about changing the log size, see Related Topics.
This procedure applies to Windows 2000 Professional computers, as well as Windows 2000 Server computers running as stand-alone servers or member servers. To turn on security logging for a domain controller, see Related Topics.
If security auditing has been enabled on a remote machine, you can view the event logs remotely with Event Viewer. Open an MMC console in author mode, and add Event Viewer to the console. When prompted to specify which computer the snap-in will manage, click Another computer and enter the name of the remote computer.
Security auditing for workstations, member servers, and domain controllers can be enabled remotely only by domain administrators. To do that, create an Organization Unit (OU), add the desired machine account(s) to the OU, and then, using Active Directory Users and Computers, create policy to enable security auditing.