Saturday, February 16, 2008

Is your port being probed?

Nmap recently released version 4.5. It is their 10th anniversary since released in 1997. The new version comes with a new traceroute feature. There is also has a new OS fingerprinting detection engine and a new scripting engine. There is an addition of the ZeNmap (an GUI for Nmap) and the new port disposition explanations.

Beside introducing the new version of Nmap, i was recently been asked "Can we detect or prevent Nmap scanning?". I think many people (with security knowledge) will know that a proper Intrustion Detection / Protection System (IDS/IPS) can easily detect any scanning activities. A properly configured firewall can prevent a system from being scanned.

But frankly, Nmap scanning is quite harmless to your system. It is merely for reconnaissance on the system. If anyone who do not wish to implement a full IDS/IPS but still wanted to detect Nmap scanning, a progam named Port Scan Attack Detector (PSAD) will be useful.

PSAD is a lightweight network IDS that works on major Linux platform. It can detect port scan and other suspicious traffic. It is not able to do packet defragmentation and tcp stream reassembly like a full network IDS, but it incorporates many of the TCP, UDP, and ICMP signatures and able to detect advanced port scans (e.g SYN, FIN, XMAS). It can also work with iptable to block any detected traffic.

Related Sites:
- Nmap 4.5
- psad - Intrusion Detection with iptables

No comments: