Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Feb 2004 16:43:17 +0000
From:      Jez Hancock <jez.hancock@munk.nu>
To:        Dragoncrest <dragoncrest@voyager.net>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Problem with someone port scanning me
Message-ID:  <20040212164317.GA27994@users.munk.nu>
In-Reply-To: <5.2.0.9.2.20040212110826.00a9b620@pop.voyager.net>
References:  <5.2.0.9.2.20040212110826.00a9b620@pop.voyager.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Feb 12, 2004 at 11:12:53AM -0500, Dragoncrest wrote:
> 	For the past couple of days I've had someone on our lan port 
> 	scanning my box.  Not sure what's up with that, but I'm curious if there's 
> a way to log what IP address this is coming from.  I don't have IPFW 
> enabled yet as I haven't had the time to configure it at this point as it's 
> currently behind the company firewall on our T3.  Is there a way to log 
> where it's coming from?  Or is that already being logged somewhere?

As a temporary measure you could always enable 'log_in_vain' via sysctl:

sysctl net.inet.tcp.log_in_vain=1
sysctl net.inet.udp.log_in_vain=1

adding:

log_in_vain="YES"

to /etc/rc.conf if you want this functionality to be enabled at boot
time.  This configures the freebsd kernel to log any connection attempts
made via udp or tcp to ports that are not open (ie log connection
attempts made in vain).

You'd then want to make sure syslogd is configured to log the info to a
file:

kernel.debug	/var/log/kern_debug.log

although this will probably dump a lot of other stuff to
/var/log/kern_debug.log as well - see syslog(8) and syslog(5)
for more info on configuring syslog - or google for:

sysctl log_in_vain syslog.conf

:P

Note also importantly - log_in_vain is a _very_ poor substitute for a
firewall for logging this kind of info.

HTH

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/
http://jez.hancock-family.com/  - Another FreeBSD Diary
http://ipfwstats.sf.net/        - ipfw peruser traffic logging

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040212164317.GA27994>