Port scanning from my server
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 2 of 2
  1. #1
    Join Date
    Oct 2007

    Port scanning from my server

    Hi there. I have a hosting server with a few hundred domains.. PLESK, etc.
    However, recently I have been seeing port scanning attempts to LAN addresses from my server.. 192.168.x.x are affected.
    Someone is trying all IP's in that range.

    Since they are short burts, I can't seem to find the culprit.. Can you provide any feedback on how I can find which program or user is doing this?

    Many thanks, -tk

  2. #2
    Join Date
    Nov 2015
    Gothenburg, Sweden

    Re: Port scanning from my server

    If you suspect that a certain program is used for scanning, like /usr/bin/nmap, you could use auditd to monitor it.

    All as root:
    % su -

    Make sure the auditd.service is up:
    % systemctl status auditd.service

    List your current auditing rules.
    % auditctl -l
    -a never,task

    I had to delete the above rule to make it work but auditctl is powerful and there are probably much better ways to do this logging. I'll just show what made it work for me :-)
    % auditctl -d never,task

    Add logging for when someone executes nmap:
    % auditctl -w /usr/bin/nmap -p x -k NMAP_LOG

    Then wait a day or two and then do:
    % ausearch -k NMAP_LOG

    The "uid=<x>" field on the SYSCALL line will show you who's used it since you started the logging. With a little sorting and counting, someone using it a lot should be clearly visible.

    When done, remove your auditing rule and add the old one back (if you also had this one rule like I did):
    % auditctl -a never,task
    % auditctl -W /usr/bin/nmap -p x -k NMAP_LOG

    You can also use auditd to log socket calls if it turns out that nmap is not used for the scanning and you need to build a more generic auditing rule for socket usage.

    Last edited by Ted Lyngmo; 17th November 2017 at 05:14 AM. Reason: typo

Similar Threads

  1. IPTABLES & NMAP port scanning!
    By Sam- in forum Security and Privacy
    Replies: 13
    Last Post: 8th May 2013, 04:29 AM
  2. Port closing for a server
    By Turtel in forum Programming & Packaging
    Replies: 2
    Last Post: 15th June 2011, 04:15 PM
  3. port to allow for NFS on server?
    By tparker in forum Servers & Networking
    Replies: 1
    Last Post: 5th January 2010, 01:47 AM
  4. avoid remote port scanning
    By rolando in forum Security and Privacy
    Replies: 14
    Last Post: 16th August 2005, 07:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts