An adequate SATAN detector is just to alarm a few never used, but often
scanned ports. We've done this by putting a tcp process in inetd.conf
listening for a connection on tcpmux, rje, link, and supdup ports. Satan
and other scanners trip these ports. The process' only function is to
send out a syslog alarm to a secure station about the possible scan
attempt. It includes the source address of the machine sending the packet(s).
If anybody's interested I've put the lines and the source in
You can really stick it at any tcp port you want.
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
"Real programmers use cat > file.as"
From: " (K. Lee Stark)" <stark @