I am running scanlogd to detect port scans. I have observed the following to generate a log message in /var/log/syslog.
- When I use
zenmap(nmap gui) to port scan this system from another computer on the same subnet - Using
nmapto scan the system from the loalhost using destination as 127.0.0.1 - Using
nmapto scan the system from the loalhost using the external IP as the destination. - From my phone on a different subnet in the same organization (A University).
/var/log/syslog:
Aug 16 15:38:59 LIVE272675 scanlogd: 208.75.19.79 to 208.75.19.139 ports 22, 17500, 256, 135, 143, 113, 53, ..., ?????uxy, TOS 00 @14:57:26
Aug 16 15:40:20 LIVE272675 scanlogd: 127.0.0.1 to 127.0.0.1 ports 6010, 6011, 48153, 49681, 52321, 33819, 60076, ..., ?????uxy, TOS 00, TTL 64 @16:24:06
Aug 16 15:41:13 LIVE272675 scanlogd: 208.75.19.139 to 208.75.19.139 ports 80, 443, 993, 143, 256, 1720, 8080, 1723, ..., fSrpauxy, TOS 00, TTL 64 @20:41:13
Aug 16 15:49:07 LIVE272675 scanlogd: 208.75.243.17 to 208.75.19.139 ports 1, 2, 3, 7, 9, 11, ..., fSrpauxy, TOS 00, TTL 63 @20:49:07
However, scanning this machine from a machine outside the organization network did not generate any logs, even though the scans detected the ports that were open and the services that were running on the system correctly. Have I got some settings wrong? Or is this something that is expected?
Why is scanlogd missing the scans? Is there a way to detect all port scans?
here they say the following: