From owner-freebsd-security@FreeBSD.ORG Wed Mar 3 07:30:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E55216A4CE for ; Wed, 3 Mar 2004 07:30:47 -0800 (PST) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6461143D31 for ; Wed, 3 Mar 2004 07:30:47 -0800 (PST) (envelope-from nkinkade@fastmail.fm) X-Sasl-enc: btIDazmjlek35bR8Chds0g 1078327700 Received: from [206.26.199.146] (unknown [206.27.244.214]) by www.fastmail.fm (Postfix) with ESMTP id AD5D16B066A; Wed, 3 Mar 2004 10:28:19 -0500 (EST) Received: from nkinkade by [206.26.199.146] with local (Exim 4.12) id 1AyYHu-0006kR-00; Wed, 03 Mar 2004 09:27:58 -0600 Date: Wed, 3 Mar 2004 09:27:58 -0600 From: Nathan Kinkade To: Francisco Reyes Message-ID: <20040303152758.GW13775@nkinkade.bmp.ub> Mail-Followup-To: Francisco Reyes , FreeBSD Security List References: <20040303094647.J93367@zoraida.natserv.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1Wg5Vd7si6EhrIHA" Content-Disposition: inline In-Reply-To: <20040303094647.J93367@zoraida.natserv.net> User-Agent: Mutt/1.4.1i Sender: Nathan Kinkade cc: FreeBSD Security List Subject: Re: How to monitoring activity on a card? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Nathan Kinkade List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Mar 2004 15:30:47 -0000 --1Wg5Vd7si6EhrIHA Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 03, 2004 at 09:51:15AM +0000, Francisco Reyes wrote: > My setup 4.9 stable with IPFW. Machine acts as gateway for two machines. >=20 > What are my options on monitoring activity on my external card? >=20 > This morning I noticed my DSL modem activity light is blinking non-stop. > Looking at /var/log/ don't see anything suspicious. >=20 > I feel tempted to add "log" to all my ipfw pass rules, but wonder if there > isn't a better way. >=20 > I am mostly concerned there is either some kind of attack going on or > somehow the machine was hacked and it's running something it's not > supposed to. There are a lot of utilities in the ports collection that will allow you to monitor your network activity. One small and useful one is at net/trafshow. It's not fancy, but it is curses based and will give you a quick idea of what is going on. Other considerations might be ntop or ethereal. Nathan --=20 gpg --keyserver pgp.mit.edu --recv-keys D8527E49 --1Wg5Vd7si6EhrIHA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQFARfl+O0ZIEthSfkkRAkhAAJ41P443kVhBrq/TtndJSc1c2b/h5ACfcLh4 SnzrTYeHOUNcWGdP/SgLV6o= =oEe8 -----END PGP SIGNATURE----- --1Wg5Vd7si6EhrIHA--