From owner-freebsd-security  Mon May 24 21:20:10 1999
Delivered-To: freebsd-security@freebsd.org
Received: from pop03.globecomm.net (pop03.globecomm.net [206.253.130.65])
	by hub.freebsd.org (Postfix) with ESMTP id 4FDD515063
	for <freebsd-security@FreeBSD.ORG>; Mon, 24 May 1999 21:20:01 -0700 (PDT)
	(envelope-from jschwab@royal.net)
Received: from usr15-dialup51.mix1.Irving.cw.net (usr15-dialup51.mix1.Irving.cw.net [166.62.215.51]) by pop03.globecomm.net (8.9.0/8.8.0) with ESMTP id AAA04176; Tue, 25 May 1999 00:19:44 -0400 (EDT)
Date: Mon, 24 May 1999 22:17:03 -0600 (MDT)
From: "Jason L. Schwab" <jschwab@royal.net>
X-Sender: jschwab@shellsys.net
To: wkt@cs.adfa.edu.au
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: TCP connect data logger
In-Reply-To: <199905250213.MAA02815@henry.cs.adfa.edu.au>
Message-ID: <Pine.BSF.4.05.9905242216520.769-100000@shellsys.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Yes, I'm interested in it! Sounds like something I could use!

-
-------------------------------------
 Jason L. Schwab <jschwab@royal.net>
    * Unix System Administrator *
-------------------------------------

On Tue, 25 May 1999, Warren Toomey wrote:

> This is strictly off-topic for FreeBSD, but anyway ... A few people desired
> to know why someone was attacking port X on their box. Ages ago, I wrote a
> small program, tcpsuck, that is run from inetd. Tcpsuck sits on a port and
> logs the data coming in. It stops after a pre-defined timeout, or when the
> remote end break the connection.
> 
> This can help you to determine what they are looking for. It also slows
> TCP port strobe attacks, too :-)
> 
> Here is where I use it on my system:
> 
> bootserver stream tcp   nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> cisco-tna stream tcp    nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> exec    stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> cmd     stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> nicname stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> pop2    stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> pop3    stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> imap2   stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> supdup  stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> systat  stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> tcpmux  stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> login   stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> shell   stream  tcp     nowait  nobody  /usr/libexec/tcpsuck    tcpsuck
> 
> I also wrote a udpsuck program for UDP ports, but current FreeBSD versions
> have UDP packet logging built-in.
> 
> Anybody interested in tcpsuck?
> 
> 	Warren
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 
> 
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message