What I would try is setting up a firewall LOG chain in iptables. Have iptables default to closed/drop ports on a host. with the log chain you could see who is attempting to access the closed/drop ports. \ This would track the offending IP. IP adress fake? Not sure on that one. Should give you some usefull info though. On Fri, 21 Jun 2002, Simoncini, Matthew wrote:
Hi everyone,
I'm constantly getting port scanned from a certain IP address on our internal corporate network. I'd really like to find out where and who this person is, but don't know much outside of ping, traceroute, nslookup, etc .... I was wondering if anyone knows of any tools that can get me more information on this person? This happens to be on our private network, so most internet tools I don't think will help much.
Thanks for your time.
Matthew
-- ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø Karl Hiramoto <karl@hiramoto.org> Work: 978-425-2090 ext 25 Cell: 508-517-4819 Personal web page: http://karl.hiramoto.org/ Zoop Productions: http://www.zoop.org/ KTEQ Rapid City: http://www.kteq.org/ AOL IM ID = KarlH420 Yahoo_IM = karl_hiramoto ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø QOTD: "Like this rose, our love will wilt and die."