Date: Mon, 14 Oct 2002 14:31:05 -0500 From: "Maildrop" <maildrop@qwest.net> To: freebsd-security@freebsd.org Subject: FW: monitor ALL connections to ALL ports Message-ID: <NGBBIILBAKIFGHHCHOHPOEODFJAA.maildrop@qwest.net>
next in thread | raw e-mail | index | archive | help
I put these rule in: ipfw add count log all from any to any I am getting messages in my log (/var/log/all.log) that appears like this: Oct 14 14:15:06 hydra /kernel: Connection attempt to UDP 192.168.17.1:161 from 192.168.17.1:1166 Which is exactly, what I want, but there is a couple isses: 1) It only logs "failed" connects. If I try to `telnet localhost 55`, it will log that, but if I do a `telnet locahost 80` (where web server is running) the connection is valid and doesn't log it. 2) How do I setup Syslog for this? ipfw man page says it logs to LOG_SECURITY facility. I want to log all connections (failed or not), into one file.. This is what I currently have in my syslogd.conf file (the log above I am pulling from all.log): security.* /var/log/security log.security /var/log/ipfw.log Both these files are empty :( I restarted syslogd. Regads, Jack > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Dragan Mickovic > Sent: Saturday, October 12, 2002 9:41 AM > To: Maildrop > Cc: freebsd-security@freebsd.org > Subject: Re: monitor ALL connections to ALL ports > > > You can just put IPFilter with a default rule to pass and log. By default > it will log src,dst,port,len .. ie: > > Sep 22 19:39:20 server_name ipmon[84]: 19:39:20.251359 fxp0 @0:20 > b 192.168.1.20,137 -> 192.168.1.255,137 PR udp len 20 78 IN > > > micko > > On Sat, Oct 12, 2002 at 12:17:42AM -0500, Maildrop wrote: > > > > I currently have a DSL line and a FreeBSD firewall/gateway > (dual homed). It > > has one internal IP address and 5 external IP address (one > "real" ip and 4 > > alaises on same external nic). > > > > What I want to do is montior and record (to log) all incoming/outging > > connection (just source ip/dest ip/port). If someone connects to my web > > server it should log what ip accessed it, the time, which ip (web server > > runs on 2 external ip address) and the port. Also if someone > does a port > > scan against the box I should be able to tell it is a port scan > (since one > > ip address would be opening up a bunch of ports). > > > > Right now I don't care what data is being sent/received, just what > > connections are being made (and the details about those connections). > > > > Any suggestions? > > > > Regards, > > Jack > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Dragan Mickovic > UNIX Systems Administrator > NTT/Verio x.4012 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NGBBIILBAKIFGHHCHOHPOEODFJAA.maildrop>