Date: Thu, 23 Sep 1999 12:56:30 -0700 (PDT) From: David Wolfskill <dhw@whistle.com> To: cshenton@uucom.com, freebsd-net@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Re: Inetd -l: log *all* connection attempts (not just valid svcs) Message-ID: <199909231956.MAA00728@pau-amma.whistle.com> In-Reply-To: <lfr9jpis9s.fsf_-_@Samizdat.uucom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>From: Chris Shenton <cshenton@uucom.com> >Date: 23 Sep 1999 11:03:59 -0400 >FreeBSD-3.2 inetd has a "-l" flag which logs all attempts: >... >I'd like a way to log *all* network connection attempts, especially >attempts to services which aren't defined. This would allow me to spot >people scanning my host (where only a few services are enabled). >Perhaps inetd isn't the right place to do this since it has no >awareness of other services which might be running (e.g., httpd on >port 80). Is this true? Or can inetd be bound to all unused ports to >log attempts? Well, once you have (say) an SMTP server listening to TCP/25, any connection attempt to TCP/25 doesn't involve inetd any more. Sure, you can avoid that issue by instantiating the server in question once for each connection, but that sounds painful to me. >If not I suppose the logical conclusion would be to run ipfw or >ipfil... certainly doable, but not as trivial for users to enable as >turning on an inetd flag. Suggestions? For what it might be worth, when I set up my NAT/firewall box at home (for the DSL connection), in addition to logging all denied packets, I also set it up to log all passed "setup" TCP requests. And yes, I did this with ipfw. Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator voice: (650) 577-7158 pager: (888) 347-0197 FAX: (650) 372-5915 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909231956.MAA00728>