Port scans

[johns0]

Anybody else notice more port scans being detected by their firewall?About 3 weeks before the sasser virus broke out my ports have been scanned all the time now with sygate being the firewall.

[rallynavvie]

My firewall is pretty hardcore. It only port-forwards what I want to only one "internet" PC, the others are pretty isolated. I use a Linux box for my active firewall and it does a pretty good job. I have noticed some port scans in the 4400-4800 range, all around typical P2P ports, which is a little disturbing. I'm actually trying to find a way to spoof a program response on the Linux box to create a "virtual PC" to hack into and see how long it takes them to realize they've entered the Matrix (fake PC). Only problem is I don't know RH9 well enough to do such a thing. However the best firewall protection comes from my bizarre combo or router/switches/firewalls. I have the DSL Gateway that acts as a router (which I mostly disabled), the RH9 box for most of my firewalling/scanning, then the D-Link wireless router sending out to my PCs. Usually I have to port forward through two places and scans tend to get lost on that dual-switch.

I just realized I have no idea how my network actually works

[sterno]

I'm actually trying to find a way to spoof a program response on the Linux box to create a "virtual PC" to hack into and see how long it takes them to realize they've entered the Matrix (fake PC). Only problem is I don't know RH9 well enough to do such a thing.

This type of thing is often called a "honeypot". Maybe a google search on that term will give you a little information.

I think the pf firewall in some of the BSDs can use passive fingerprinting (guessing the remote system type based only on the packets its sending) in the rules. You can also get software for several systems to trick the common remote fingerprinting tools in to seeing your machine as something it's not.