[NTLUG:Discuss] Seeing lots of NMAP scans

[Chris Cox]

Wayne Dahl wrote:
> I'm seeing a lot of NMAP scans in my firewall logs coming from just a
> few Verizon DSL users (reverse lookups point to a lot of them coming
> from one guy who appears to be changing his IP address a lot, but most
> of them seem to be coming from him)...a lot of port 445 scans, scans
> from other ISP users, etc.  Is this some sort of attack attempt?

Uh... no... that's everyday internet usage....  welcome to the internet!
If my comapny sued everyone who port scanned us, half the known
world would be in jail by now.

> 
> Are you guys seeing anything like this also?  Most of the entries are
> ICMP PING NMAP and Smoothwall describes them as Type: Attempted
> information leak.

I sure hope you aren't replying to ping.  Turn off icmp echo replies.
Keeps the stupid ones away (which is about 90% of them).

> 
> I've set Smoothwall to block ICMP pings and also to block and ignore
> IGMP packets.  I know that if I block ICMP pings, I can't be pinged from
> another outside address, but I can live with that.  Will that be
> sufficient, given my current firewall, to stop NMAP scans?  
> 

Oh... so you have... good first step.  And no, it won't prevent
nmap scans... well depends on the scan they're attempting.
nmap is friendly enough to let them know what options they'll
need to use if your're not allowing ping (-P0).

Everyone should "just live with that" with regards to icmp echo
reply.

Change IP ... and you'll probably be pretty safe.
After awhile, you'll probably be ok as well... but right now
they know your number and they'll dial it to death.