[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] PortSentry works !

Subject: RE: [cobalt-users] PortSentry works !
From: Graeme Fowler <Graeme.F@xxxxxxxxxxxxxxx>
Date: Thu Mar 15 08:43:06 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Christian Karlsson wrote:
> How can it be proved that a person has intented to commit 
> further offences?

Because in normal operation you simply do not go around probing machines
for services. It's a little like spending time walking round someone's
house looking through all the windows; sooner or later someone will
approach you about your behaviour. Maybe you're trying to figure out if
the occupier is in trouble, but usually you're just trying to see
whether or not the video is worth stealing.

> Everyone who uses a portscan doesn't do this act in an 
> attempt to hack in to the server.

No, not everyone. In my experience however most do - if they find an
open, commonly-exploited and vulnerable port then it's almost certain
you will start receiving cracking attempts.

> How many ports has to be tried to access before it can be 
> called a "scan"?
> If I access the website (port 80), the POP3 (port 110), the 
> ftp (port 21) and then the telnet (port 23) have I done a
> "portscan" then?

Not if you access those services legitimately, no. If however you carry
out a half-open SYN scan against those ports but do not actually make
use of the servcies then yes, you're scanning.

> I don't think it can be illigel to do a portscan. If so, it 
> would also be illegal to carry a gun. 

It is in the UK :)

As has been pointed out previously in this thread, the legality or
otherwise of port scanning is a grey area. As I said previously, to my
knowledge in the UK there have as yet been no prosecutions brought where
the 'offence' is port scanning.
Personally I feel that port scanning of any machine via a 'stealth'
mechanism (half-open SYN, NULL, or XMAS) is worth complaining about.
If a scan followed by an exploit followed by data loss occurs, then that
scan was the start of a chain of illegal events and should be included
in any action taken.

Until the law internationally catches up with the sort of people who
carry these things out, we're all in the grey area about what to do. My
advice: catch a portscan, look up the netblock owner, contact them and
their upstream's abuse dept. and see what they have to say. That's
usually enough to get an account closure.

Graeme Fowler
Systems Administrator
graeme.f@xxxxxxxxxxxxxxx

Follow-Ups:
- Re: [cobalt-users] PortSentry works !
  - From: Bryan
- [cobalt-users] Problems installing BIND Update 4.0.3 on RAQ3
  - From: Landon Jenkins

Prev by Date: Re: [cobalt-users] PortSentry works !
Next by Date: [cobalt-users] Will pay someone for help with iASP installation
Previous by thread: Re: [cobalt-users] PortSentry works !
Next by thread: Re: [cobalt-users] PortSentry works !

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index