2

How is possible to determine if someone make requests with tools for pentesting? Is there any linux command?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Vladimir
  • 209
  • 1
  • 3
  • 4
  • 3
    When you run a webserver you need to get used to it getting constantly probed for vulnerabilities. This usually comes from botnets and is done fully automatic, so you can hardly do anything about the scans. All you can do is make sure they won't be successful by properly hardening your server. – Philipp Feb 13 '15 at 13:18
  • 1
    The answer is "yes, someone is scanning your server." – cpast Feb 13 '15 at 22:07

3 Answers3

6

Is your system publicly accessible?

  • Yes: Someone is probably scanning it.

  • No: Are you scanning the server?

    • Yes: Well, you've just answered your own question now haven't you?
    • No: It's probably not getting scanned.
    • I don't know: Wait... what?
  • I don't know: You've got bigger problems. And yes, you're probably getting scanned.
Iszi
  • 26,997
  • 18
  • 98
  • 163
3

Short version : there is no central / unique command to check this by default on linux

.. but you could rely on several tools, depending on the kind of scanning that you would like to find :

  • Fail2ban to parse log file (ssh server, web server, ftp, vpn, etc.) in order to find any brute force / irregular login attempt (and trigger some firewall rules)
  • On network level, you could use an NIPS/NIDS solutions (Network Intrusion Prevention System / Network Intrusion Detection System) like snort. For the network, you could also use some iptables rules to detect an ongoing scan (like this one)

But, like every cat and mouse game, there are lots of possibilities for the attacker to avoid your iptables rules (reduce speed, random port scanning, increase source ip, etc.). One good way to handle this would be to have a strict control on opened ports (control IN and OUT flow, restrict access, etc.)

meepmeep
  • 386
  • 2
  • 5
  • points out a critical security setup, controlling and monitoring outbound traffic. – COL Wotohice Feb 13 '15 at 18:33
  • One trick not mentioned here is to leave some well known ports open (or redirected) to a tcp wrappers handler - although this isn't going to help if you're running a webserver and the scanner is only targetting a single service which is already in use on the machine. – symcbean Feb 14 '15 at 01:25
1

If you are running a web sever, you might also want to set up a honeypot in your web application and trap automated scans. This can be done by configuring a section of your site, and disallow it in robots.txt. Any automated scans will ignore this, and will actually try to scan it. Any IPs accessing the disallowed area can be blacklisted using fail2ban for example.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
nicks
  • 11
  • 1
  • 3
    nicks - whicle your answer includes some valid points it is not acceptable to spam your own product. please read our guidelines on spam. – Rory Alsop Feb 13 '15 at 16:28