From owner-freebsd-security  Mon May 24 19:13:32 1999
Delivered-To: freebsd-security@freebsd.org
Received: from henry.cs.adfa.edu.au (henry.cs.adfa.edu.au [131.236.21.158])
	by hub.freebsd.org (Postfix) with ESMTP id 3CE8A154C6
	for <freebsd-security@FreeBSD.ORG>; Mon, 24 May 1999 19:13:26 -0700 (PDT)
	(envelope-from wkt@henry.cs.adfa.edu.au)
Received: (from wkt@localhost)
	by henry.cs.adfa.edu.au (8.9.2/8.9.1) id MAA02815
	for freebsd-security@FreeBSD.ORG; Tue, 25 May 1999 12:13:26 +1000 (EST)
	(envelope-from wkt)
From: Warren Toomey <wkt@henry.cs.adfa.edu.au>
Message-Id: <199905250213.MAA02815@henry.cs.adfa.edu.au>
Subject: TCP connect data logger
To: freebsd-security@FreeBSD.ORG
Date: Tue, 25 May 1999 12:13:26 +1000 (EST)
Reply-To: wkt@cs.adfa.edu.au
X-Mailer: ELM [version 2.4ME+ PL43 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This is strictly off-topic for FreeBSD, but anyway ... A few people desired
to know why someone was attacking port X on their box. Ages ago, I wrote a
small program, tcpsuck, that is run from inetd. Tcpsuck sits on a port and
logs the data coming in. It stops after a pre-defined timeout, or when the
remote end break the connection.

This can help you to determine what they are looking for. It also slows
TCP port strobe attacks, too :-)

Here is where I use it on my system:

bootserver stream tcp   nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
cisco-tna stream tcp    nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
exec    stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
cmd     stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
nicname stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
pop2    stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
pop3    stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
imap2   stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
supdup  stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
systat  stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
tcpmux  stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
login   stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
shell   stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck

I also wrote a udpsuck program for UDP ports, but current FreeBSD versions
have UDP packet logging built-in.

Anybody interested in tcpsuck?

	Warren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message