From owner-freebsd-questions@FreeBSD.ORG Thu Feb 12 08:43:19 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5310316A4CE for ; Thu, 12 Feb 2004 08:43:19 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12C5A43D1D for ; Thu, 12 Feb 2004 08:43:19 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.30; FreeBSD) id 1ArJvp-0007QE-Vj; Thu, 12 Feb 2004 16:43:17 +0000 Date: Thu, 12 Feb 2004 16:43:17 +0000 From: Jez Hancock To: Dragoncrest Message-ID: <20040212164317.GA27994@users.munk.nu> Mail-Followup-To: Dragoncrest , freebsd-questions@FreeBSD.ORG References: <5.2.0.9.2.20040212110826.00a9b620@pop.voyager.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.2.0.9.2.20040212110826.00a9b620@pop.voyager.net> User-Agent: Mutt/1.4.1i Sender: Jez Hancock cc: freebsd-questions@FreeBSD.ORG Subject: Re: Problem with someone port scanning me X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2004 16:43:19 -0000 On Thu, Feb 12, 2004 at 11:12:53AM -0500, Dragoncrest wrote: > For the past couple of days I've had someone on our lan port > scanning my box. Not sure what's up with that, but I'm curious if there's > a way to log what IP address this is coming from. I don't have IPFW > enabled yet as I haven't had the time to configure it at this point as it's > currently behind the company firewall on our T3. Is there a way to log > where it's coming from? Or is that already being logged somewhere? As a temporary measure you could always enable 'log_in_vain' via sysctl: sysctl net.inet.tcp.log_in_vain=1 sysctl net.inet.udp.log_in_vain=1 adding: log_in_vain="YES" to /etc/rc.conf if you want this functionality to be enabled at boot time. This configures the freebsd kernel to log any connection attempts made via udp or tcp to ports that are not open (ie log connection attempts made in vain). You'd then want to make sure syslogd is configured to log the info to a file: kernel.debug /var/log/kern_debug.log although this will probably dump a lot of other stuff to /var/log/kern_debug.log as well - see syslog(8) and syslog(5) for more info on configuring syslog - or google for: sysctl log_in_vain syslog.conf :P Note also importantly - log_in_vain is a _very_ poor substitute for a firewall for logging this kind of info. HTH -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - Another FreeBSD Diary http://ipfwstats.sf.net/ - ipfw peruser traffic logging