In the previous article, we have seen that how KFSensorHoneypot IDS detects any unauthorized person by simulating vulnerable system services. Well, vulnerability to a hacker is like jewels. Every hacker or malicious person fist face of hacking is Footprinting and second is scanning where they get to know whether a system is vulnerable for performing an attack or not. So in this article, we will detect an unauthorized person or a hacker and stop it.
Install and start KFSensorHoneypot IDS server to do this read my previous article
Here my KFSensorHoneypot is ready.
Scanning phase tells us whether systems is vulnerable or not and sometimes even provide us exploit information which is available for that vulnerability. So every of the hacker performs this step before exploiting your system.
So here I try to scan my system running KFSensor with Nessus vulnerability scanner from another computer.
As you can see Nessus started scanning my system and finding the vulnerability.
Here you can see that KFSensorHoneypot IDS alerted you that someone is trying to scan your system for vulnerability and some of the packets your system is receiving are malicious and recorded attackers IP address.
Now I’m trying to scan my system with GFI Languard also to see that KFSensorIDS detect or not.
GFI Languard started scanning.
Here KFSensorHoneypot IDS alerted that someone is sending packets to get vulnerability of the system. Here you can monitor attacks on every TCP and UDP ports. Even you can see ICMP or ping messages.
Here you can see that someone is trying attacking on Port and his IP address is 192.168.149.1
You can also view alerts by visitor’s means which IP address is trying to access on which ports.
KfsensorHoneypot IDS can also detect whether someone is using a Vulnerability scanner or not to perform an attack on your system. Now we know that particular IP address is sending to many packets which are not good. So to block that IP address we have to create a separate policy for that visitor.
To do that double-click on IP address you want to block accessing your system, a menu will appear
Now click on details.
Here click on Create Visitor Ruleto create a policy.
After that select port, you want to block for that IP address and select actions Close or Ignore all requests from that particular IP address.