How to monitor ethernet connection and portscans? - Suse

This is a discussion on How to monitor ethernet connection and portscans? - Suse ; Just installed openSUSE 10.2 and what a relief. All my hardware was recognized and the configuring and tweaking has begun. However I still use windows for some specific programs, but find myself spending more time with SUSE. Of course it ...

+ Reply to Thread
Results 1 to 19 of 19

Thread: How to monitor ethernet connection and portscans?

  1. How to monitor ethernet connection and portscans?

    Just installed openSUSE 10.2 and what a relief. All my hardware was
    recognized and the configuring and tweaking has begun. However I still use
    windows for some specific programs, but find myself spending more time
    with SUSE. Of course it takes some time to find your way around, but that
    is the case with every new OS, so I think it's part of the learning proces.

    As I get used to the OS, the questions on how to get specific things done
    will pop up from time to time. What I would like to know now is:
    - How to visibly monitor my ethernet connection and turn it off or on
    instantly?
    - How to monitor portscans actively? This is a windows habit and probably
    not necessary in a Linux environment?

    Thanks in advance for any advice or suggestions.

    Jan

    --
    openSUSE 10.2 (i586)
    KDE 3.5.5 "release 45.4"
    AMD Athlon 1.150 MHz + 1.024MB RAM

  2. Re: How to monitor ethernet connection and portscans?

    Jan wrote:
    > - How to visibly monitor my ethernet connection and turn it off or on
    > instantly?


    Gkrellm is a neat tool and can do much more then just that.

    > - How to monitor portscans actively? This is a windows habit and probably
    > not necessary in a Linux environment?


    I am sure it is possible, but I never payed any attention to it. Either
    my system is safe, or it isn't. Looking at the amount of attemps only
    will make me nervous for no reason. Counted sheep are eaten by the wolfs
    as well, you know. ;-)


    houghi
    --
    ________________________ Open your eyes, open your mind
    | proud like a god don't pretend to be blind
    | trapped in yourself, break out instead
    http://openSUSE.org | beat the machine that works in your head

  3. Re: How to monitor ethernet connection and portscans?

    On Fri, 08 Jun 2007 07:40:03 +0200, Jan wrote:

    > Just installed openSUSE 10.2 and what a relief. All my hardware was
    > recognized and the configuring and tweaking has begun. However I still
    > use windows for some specific programs, but find myself spending more
    > time with SUSE. Of course it takes some time to find your way around,
    > but that is the case with every new OS, so I think it's part of the
    > learning proces.
    >
    > As I get used to the OS, the questions on how to get specific things
    > done will pop up from time to time. What I would like to know now is: -
    > How to visibly monitor my ethernet connection and turn it off or on
    > instantly?
    > - How to monitor portscans actively? This is a windows habit and
    > probably not necessary in a Linux environment?
    >
    > Thanks in advance for any advice or suggestions.
    >
    > Jan



    I've just started using Firestarter.
    It auto overrides Suse's firewall and lists all port and app activity as well as attempted invasions (none in
    two weeks here!)

  4. Re: How to monitor ethernet connection and portscans?

    On Fri, 08 Jun 2007 07:40:03 +0200, Jan wrote:

    > Just installed openSUSE 10.2 and what a relief. All my hardware was
    > recognized and the configuring and tweaking has begun. However I still
    > use windows for some specific programs, but find myself spending more
    > time with SUSE. Of course it takes some time to find your way around,
    > but that is the case with every new OS, so I think it's part of the
    > learning proces.
    >
    > As I get used to the OS, the questions on how to get specific things
    > done will pop up from time to time. What I would like to know now is: -
    > How to visibly monitor my ethernet connection and turn it off or on
    > instantly?
    > - How to monitor portscans actively? This is a windows habit and
    > probably not necessary in a Linux environment?
    >
    > Thanks in advance for any advice or suggestions.
    >
    > Jan



    Here's a fun thing: go to Steve Gibson's security website and let it check your ports:
    http://www.grc.com/default.htm
    Click the "Shield's Up" link and choose of the various Shield's Up tests. Great info for the average Joe to
    understand.

    You can leave a port hanging open in Linux as easy as in WIndows.

    Hope that helps.

  5. Re: How to monitor ethernet connection and portscans?

    Op Fri, 08 Jun 2007 08:57:08 +0200, schreef houghi:

    > Jan wrote:
    >> - How to visibly monitor my ethernet connection and turn it off or on
    >> instantly?

    >
    > Gkrellm is a neat tool and can do much more then just that.
    >
    >> - How to monitor portscans actively? This is a windows habit and probably
    >> not necessary in a Linux environment?

    >
    > I am sure it is possible, but I never payed any attention to it. Either
    > my system is safe, or it isn't. Looking at the amount of attemps only
    > will make me nervous for no reason. Counted sheep are eaten by the wolfs
    > as well, you know. ;-)
    >
    >
    > houghi


    You may have a point there Houghi. But Linux is also about experimenting,
    discovering and tweaking the system to ones personal liking. It may not be
    necessary as you mention, because Linux is not really targeted as the main
    OS for viruses, portscans, troyans, etc.

    I once installed windows and forgot to install the firewall and
    virusprograms first before connecting to the internet. Well, as one can
    guess my pc was attacked big time. I tried Vista, but after three days I
    came to the conclusion that it was time to start using another OS. Still
    use XP for specific software I'm familiar with, but I know that XP is the
    last windows OS I will be using just for that. All internet related
    activities are done in Linux now.

    Jan

    --
    openSUSE 10.2 (i586)
    KDE 3.5.5 "release 45.4"
    AMD Athlon 1.150 MHz + 1.024MB RAM

  6. Re: How to monitor ethernet connection and portscans?

    > Here's a fun thing: go to Steve Gibson's security website and let it
    > check your ports: http://www.grc.com/default.htm
    > Click the "Shield's Up" link and choose of the various Shield's Up
    > tests. Great info for the average Joe to understand.
    >
    > You can leave a port hanging open in Linux as easy as in WIndows.
    >
    > Hope that helps.


    Rob thanks for both your responses. Will give it a try real soon. Quite
    busy this weekend.

    Jan



    --
    openSUSE 10.2 (i586)
    KDE 3.5.5 "release 45.4"
    AMD Athlon 1.150 MHz + 1.024MB RAM

  7. Re: How to monitor ethernet connection and portscans?

    just plain rob wrote:
    > Here's a fun thing: go to Steve Gibson's security website and let it check your ports:
    > http://www.grc.com/default.htm
    > Click the "Shield's Up" link and choose of the various Shield's Up tests. Great info for the average Joe to
    > understand.


    I rather use something that is directed at Linux instead of Windows.
    I always use http://www.linux-sec.net/Audit/nmap.test.gwif.html. It is
    also the tool I have on my machine and use.

    > You can leave a port hanging open in Linux as easy as in WIndows.


    If you leave them hanging open, you need to open them first.

    houghi
    --
    ________________________ Open your eyes, open your mind
    | proud like a god don't pretend to be blind
    | trapped in yourself, break out instead
    http://openSUSE.org | beat the machine that works in your head

  8. Re: How to monitor ethernet connection and portscans?

    Jan wrote:
    > You may have a point there Houghi. But Linux is also about experimenting,
    > discovering and tweaking the system to ones personal liking. It may not be
    > necessary as you mention, because Linux is not really targeted as the main
    > OS for viruses, portscans, troyans, etc.


    if it is about curiosity, that is a good thing. Go look at snort. Also
    look at /var/log/*
    One of the things I have done is to see that my /var/log/messages isn't
    poluted by atempts of people who try to enter my ssh connection.
    http://www.novell.com/coolsolutions/tip/18080.html

    Understand that this does not make your system safer. It just prevents
    repeated logs to your system. Your system should already be safe.

    Now if you are curious, what you could do is open the connection to a
    user called `admin`, `guest` or `webmaster` or any of the many used
    names. You can find out wich ones are the most used by doing as root:
    grep "Invalid user" /var/log/messages|awk '{print $8}'|sort| \
    uniq -c|sort -nr|head -n 25

    The login should go to a chrooted area where you then can start
    detecting what it will try to do. Then you can have some real fun by
    allowing more and more. You however must understand what you are doing
    and be able to shut down the connection at any time.

    You can also set the firewall to log many things and then just run `tail
    -f /var/log/whatever_the_file_for_firewall` and see what happens. If you
    like colours, use ccze http://freshmeat.net/projects/ccze/
    http://houghi.org/shots/wmaker/left_04.png on how it looks with me.

    houghi
    --
    ________________________ Open your eyes, open your mind
    | proud like a god don't pretend to be blind
    | trapped in yourself, break out instead
    http://openSUSE.org | beat the machine that works in your head

  9. Re: How to monitor ethernet connection and portscans?

    On Fri, 08 Jun 2007 07:40:03 +0200, Jan wrote:

    > How to visibly monitor my ethernet connection and turn it off or on
    > instantly?


    Monitor bandwith usuage with gkrellm. Turn network off in Yast or use
    the proper Suse command the CLI way, to which the command sequence I
    haven't run across yet - Just installed Suse. I'm used to another version
    of Linux.

    > - How to monitor portscans actively?


    nmapfe

    Add those two apps if you don't have them.

    --
    Linux Help: http://rsgibson.com/linux.htm
    Email - rsgibson@verizon.borg
    Replace borg with net


  10. Re: How to monitor ethernet connection and portscans?

    Ron Gibson wrote:
    > On Fri, 08 Jun 2007 07:40:03 +0200, Jan wrote:
    >
    >> How to visibly monitor my ethernet connection and turn it off or on
    >> instantly?

    >
    > Monitor bandwith usuage with gkrellm. Turn network off in Yast or use
    > the proper Suse command the CLI way, to which the command sequence I
    > haven't run across yet - Just installed Suse. I'm used to another version
    > of Linux.


    `rcnetwork stop` `ifconfig ethX down` or even `halt` (That last one
    realy works very well to shut down the network.)

    >
    >> - How to monitor portscans actively?

    >
    > nmapfe
    >
    > Add those two apps if you don't have them.


    There also is ethereal. A search on freshmeat.net brought me to
    http://www.packetshack.org/index.php?page=sensorTrends and besides
    snort, I mentioned in an earlier post to
    http://www.openwall.com/scanlogd/

    houghi
    --
    Personally, I think most sports fans are a little "gay". They'd
    rather watch a bunch of sweaty guys jumping all over eachother,
    than, say fashion TV - where hot models walk down the runway.

  11. Re: How to monitor ethernet connection and portscans?

    Jan wrote:

    > Just installed openSUSE 10.2 and what a relief. All my hardware was
    > recognized and the configuring and tweaking has begun. However I still use
    > windows for some specific programs, but find myself spending more time
    > with SUSE. Of course it takes some time to find your way around, but that
    > is the case with every new OS, so I think it's part of the learning
    > proces.
    >
    > As I get used to the OS, the questions on how to get specific things done
    > will pop up from time to time. What I would like to know now is:
    > - How to visibly monitor my ethernet connection and turn it off or on
    > instantly?
    > - How to monitor portscans actively? This is a windows habit and probably
    > not necessary in a Linux environment?
    >
    > Thanks in advance for any advice or suggestions.
    >
    > Jan
    >


    wireshark

  12. Re: How to monitor ethernet connection and portscans?

    On Fri, 08 Jun 2007 08:57:08 +0200, houghi wrote:

    > Gkrellm is a neat tool and can do much more then just that.


    yep.

    >> - How to monitor portscans actively? This is a windows habit and
    >> probably not necessary in a Linux environment?


    > I am sure it is possible,


    Oh I wonder if he means *continuously*. I bet you could use nmap and
    scripts to do that but my creation wouldn't be very pretty. I'm an
    engineer and don't get these object oriented languages like C++.

    All I know is FORTRAN. I know just enough about C and C++ to get
    myself in trouble.

    > but I never payed any attention to it. Either my
    > system is safe, or it isn't. Looking at the amount of attempts only

    will
    > make me nervous for no reason. Counted sheep are eaten by the wolfs as
    > well, you know. ;-)


    I look at nmapfe a few times a month. Since Linux is light years ahead
    of windows in security it is really a non-issue. Linux can be hacked
    too but as home users we are small potatoes and no one in their right
    mind would spend all the effort to hack one of our systems when it could
    be done so easily to a windows box.

    One of my cyber-acquaintance in another Linux NG is a security guru and
    he pointed out the frequency of attempted attacks on a windows box. What
    they did was count the number of attempts in a certain amount of time.

    The numbers were staggering, something like thousands per hour. I can't
    recall the numbers exactly but he provided a URL and I read the article.
    Bottom line is windows boxes have a big bulls eye painted on them for
    hackers.

    --
    Linux Help: http://rsgibson.com/linux.htm
    Email - rsgibson@verizon.borg
    Replace borg with net


  13. Re: How to monitor ethernet connection and portscans?

    Jan wrote:

    > As I get used to the OS, the questions on how to get specific things done
    > will pop up from time to time. What I would like to know now is:
    > - How to visibly monitor my ethernet connection and turn it off or on
    > instantly?


    In KDE there's gizmo called KNetworkManager.

    > - How to monitor portscans actively? This is a windows habit and probably
    > not necessary in a Linux environment?
    >


    Ask the guy called Vahis; he used to be very active on this NG,
    unfortunateely I don't see his posts anymore.
    Once I made a port scan of his computer and he almost instantaneously
    made a fuss about it:
    http://tinyurl.com/3x3462

    --
    Yours Virtually, Zibi

  14. Re: How to monitor ethernet connection and portscans?

    Zbycho BikeRider wrote:
    > Ask the guy called Vahis; he used to be very active on this NG,
    > unfortunateely I don't see his posts anymore.
    > Once I made a port scan of his computer and he almost instantaneously
    > made a fuss about it:
    > http://tinyurl.com/3x3462


    You call that a fuzz? He merely stated what he does if somebody does a
    scan on his machine.

    To be honest, he is correct in doing so. There is absolutely no need for
    you to scan him and scanning is a way of looking what ports are open so
    you can try to break in.

    If you are walking around and try every door if it is open, then most
    likely you will get questioned. Even if you say that you just are
    interested in wethere the door is open or not, it might get you shot in
    some countries.

    So don't.

    houghi
    --
    Personally, I think most sports fans are a little "gay". They'd
    rather watch a bunch of sweaty guys jumping all over eachother,
    than, say fashion TV - where hot models walk down the runway.

  15. Re: How to monitor ethernet connection and portscans?

    On Fri, 8 Jun 2007, Jan wrote:-



    Right, before I start, I'm going to assume you're using KDE as your
    desktop. I don't know Gnome, nor do I use other desktop environments, so
    don't know if the same would apply.

    >As I get used to the OS, the questions on how to get specific things done
    >will pop up from time to time. What I would like to know now is:
    >- How to visibly monitor my ethernet connection and turn it off or on
    >instantly?


    Under YaST -> Network Devices -> Network Card , select the option
    "User Controlled with NetworkManager"

    Then, when you log in you should have the KNetworkManager applet appear
    in the system tray. From here you can turn the connection(s) on or off
    at will.

    >- How to monitor portscans actively?


    You mean you want to see when someone is port-scanning you? Not without
    a little fiddling. It involves adding an iptables rule[0] to log
    connection attempts, while using a console to filter out those
    connections and display them.

    >This is a windows habit and probably
    >not necessary in a Linux environment?


    Well, unless you like the false sense of security that you get from a
    "we blocked a port-scan" alert box, yes it is. And if all you're after
    is that wonderful false sense of security, I'm sure someone could knock
    up a script that would randomly display an alert box with the same sort
    of message.

    Heck, something like this should do:

    ***** cut here *****
    #!/bin/bash

    # script to display a "we blocked a port scan" alert box at random intervals
    #
    # this script relies on kdialog, which is included in the package kdebase3

    ERROR_MSG="We blocked a port scan from some random IP address!\nOkay, no we didn't.\nThis is just to make you feel like you're still running
    Windows and a software firewall.\nClick \Continue\" to get another random warning"

    TITLE="Windows Software Firewall warning simulation"

    # enter a never-ending loop
    #
    while :
    do

    # pick a random number of seconds to wait. No less than 60, and no more than 300
    # results in a warnings appearing anywhere from 1 to 5 mins apart
    #
    TIMER=$(( $(( ${RANDOM} % 240 )) + 60 ))
    sleep ${TIMER}
    kdialog --warningcontinuecancel "${ERROR_MSG}" --title "${TITLE}" &>/dev/null
    [ "$?" -ne 0 ] && break
    done

    exit 0
    ***** cut here *****

    You'll need to copy it into ${HOME}/.kde/Autostart and then log back in
    again. Then you can enjoy the same random alert boxes you used to get
    under Windows. And, just so you can feel in control, all you need to
    keep this simulation going is to keep clicking on "Continue" :-)

    Once you get fed up of having this useless alert box keep popping up,
    just click cancel and it'll stop for this session. To stop it from
    auto-starting, all you'd need to do is remove it from the Autostart
    directory.


    [0] At a root console, just use the following couple of commands:

    iptables -I INPUT 1 -p tcp -i eth0 --tcp-flags SYN,ACK,FIN,RST SYN --log-prefix "port-scan? " -j LOG
    tail -f /var/log/messages|grep "port-scan\? "

    The first sets up an iptables rule to log incoming connection attempts,
    and gives them a prefix "port-scan? " . The second command pipes
    /var/log/messages through to grep, which searches for lines containing
    "port-scan? " and displays them in the terminal window.

    Regards,
    David Bolt

    --
    Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/
    RISCOS 3.11 | SUSE 10.0 32bit | SUSE 10.1 32bit | openSUSE 10.2 32bit
    RISCOS 3.6 | SUSE 10.0 64bit | SUSE 10.1 64bit | openSUSE 10.2 64bit
    TOS 4.02 | SUSE 9.3 32bit | | openSUSE 10.3a4 32bit

  16. Re: How to monitor ethernet connection and portscans?

    Zbycho BikeRider wrote:
    > I used to work as a technician managing several LAN/WAN networks, few
    > hundred users on each. My experience was that perhaps 99% of port scans
    > occurring in these networks were "automated scans" from unsecured
    > Windows computers infected by some worm, Trojan, or whatever trying to
    > spread, while their owners were completely unaware of that activity.
    > Remaining 1% of the port scans were made either by me or my boss, for
    > diagnostics.
    > There was absolutely no need and no use to do anything except
    > disconnecting these machines entirely or forcing their owners to change
    > their operating system.


    So because you do this, you think it is OK to do portscans on other
    people? That is stupid reasoning and no, the smiley does not help.

    The fact that they are done by trojans does not make it any better. In
    fact, it makes it WORSE, because the probability that such a scan is
    actualy not just looking, but actualy trying to hack is a lot bigger.

    Is it so difficult to understand: do not portscan people unwanted.

    houghi
    --
    Personally, I think most sports fans are a little "gay". They'd
    rather watch a bunch of sweaty guys jumping all over eachother,
    than, say fashion TV - where hot models walk down the runway.

  17. Re: How to monitor ethernet connection and portscans?

    houghi wrote:
    > Zbycho BikeRider wrote:
    >> I used to work as a technician managing several LAN/WAN networks, few
    >> hundred users on each. My experience was that perhaps 99% of port scans
    >> occurring in these networks were "automated scans" from unsecured
    >> Windows computers infected by some worm, Trojan, or whatever trying to
    >> spread, while their owners were completely unaware of that activity.
    >> Remaining 1% of the port scans were made either by me or my boss, for
    >> diagnostics.
    >> There was absolutely no need and no use to do anything except
    >> disconnecting these machines entirely or forcing their owners to change
    >> their operating system.

    >
    > So because you do this, you think it is OK to do portscans on other
    > people? That is stupid reasoning and no, the smiley does not help.
    >


    Smiley was after paragraph with "disconnecting these machines entirely
    or forcing their owners to change their operating system".
    Pitty you did not notice.

    EOT for me. :|

    --
    Yours Virtually, Zibi

  18. Re: How to monitor ethernet connection and portscans?

    Zbycho BikeRider wrote:
    >> So because you do this, you think it is OK to do portscans on other
    >> people? That is stupid reasoning and no, the smiley does not help.
    >>

    >
    > Smiley was after paragraph with "disconnecting these machines entirely
    > or forcing their owners to change their operating system".
    > Pitty you did not notice.


    I did notice. It just made no difference.

    houghi
    --
    Personally, I think most sports fans are a little "gay". They'd
    rather watch a bunch of sweaty guys jumping all over eachother,
    than, say fashion TV - where hot models walk down the runway.

  19. Re: How to monitor ethernet connection and portscans?

    houghi wrote:

    >> On Fri, 08 Jun 2007 07:40:03 +0200, Jan wrote:
    >>> How to visibly monitor my ethernet connection and turn it off or
    >>> on instantly?

    >
    > There also is ethereal.


    Ethereal has now been renamed Wireshark.

    --
    Dave Clarke


+ Reply to Thread