From owner-freebsd-security@FreeBSD.ORG Sat Dec 11 00:02:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EE2516A4CE for ; Sat, 11 Dec 2004 00:02:07 +0000 (GMT) Received: from dreadlock.phreakout.net (dreadlock.phreakout.net [12.45.16.51]) by mx1.FreeBSD.org (Postfix) with SMTP id CDDA143D5D for ; Sat, 11 Dec 2004 00:02:06 +0000 (GMT) (envelope-from ababurko@adelphia.net) Received: (qmail 22967 invoked from network); 11 Dec 2004 00:05:26 -0000 Received: from 24-52-224-96.kntnny.adelphia.net (HELO ?192.168.102.100?) (24.52.224.96) by dreadlock.phreakout.net with SMTP; 11 Dec 2004 00:05:26 -0000 Message-ID: <41BA38F7.6020409@adelphia.net> Date: Fri, 10 Dec 2004 19:01:59 -0500 From: Bob Ababurko User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: need some advice on connections logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 00:02:07 -0000 Hello- What is the best way to deal with getting logs for someone attacking my box? I am not really sure, but I think it may involve tcpdump. Is there any way to implement this so that it can be running before an attack happens?.....see the problem is, that I do not have physical access to the box and if it is taken down(unaccessible by remote means), I cannot log in to start a dump. What can I do in this case, or what are my options, if I want to have the network connections dumped somehow with no intervention?....is that a tall order? Thanks, Bob