From owner-freebsd-hackers Wed Sep 12 10:58:11 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 9F13937B40B for ; Wed, 12 Sep 2001 10:57:57 -0700 (PDT) Received: from hades.hell.gr (patr530-a172.otenet.gr [212.205.215.172]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f8CHvsx29978 for ; Wed, 12 Sep 2001 20:57:54 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f8CHvhU65013 for hackers@freebsd.org; Wed, 12 Sep 2001 20:57:43 +0300 (EEST) (envelope-from charon@labs.gr) Date: Wed, 12 Sep 2001 20:57:43 +0300 From: Giorgos Keramidas To: hackers@freebsd.org Subject: Checking changes to listening ports in /etc/security Message-ID: <20010912205743.A64992@hades.hell.gr> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline User-Agent: Mutt/1.2.5i X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I've been adding an extra check in my local version of /etc/security for quite some time now. All it does is use 'netstat' to grab a list of the listening tcp and udp ports of my machine and save it to /var/log/netstat.today (and /var/log/netstat.yesterday). This way, when some service starts and listens on a new port the next run of /etc/security will log the fact in the usual stuff sent to root by mail. I tested this running /etc/periodic/daily/450.security twice, and running a local IRC daemon between the two runs. The output that is added to the message root receives looks like the following: hades.hell.gr changes in listening ports: 4a5,6 > tcp4 0 0 *.6667 *.* LISTEN > tcp4 0 0 *.7325 *.* LISTEN 7a10 > udp4 0 0 *.* *.* 10a14 > udp4 0 0 *.7007 *.* Does the attached patch below seem interesting to anyone else, too? Should I send-pr it, or just keep merging it with my own security checks, and leave things as they are? -giorgos --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=lala Index: security =================================================================== RCS file: /home/ncvs/src/etc/security,v retrieving revision 1.55 diff -u -r1.55 security --- security 4 Jul 2001 12:49:17 -0000 1.55 +++ security 12 Sep 2001 17:25:53 -0000 @@ -128,6 +128,26 @@ tee /dev/stderr | wc -l) [ $n -gt 0 -a $rc -lt 1 ] && rc=1 +# Show changes in listening tcp and udp ports: +# +[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat +if ( netstat -natl | grep LISTEN | sort ; echo "--"; netstat -na | grep '^udp' | sort ) | $cmd > $TMP; then + if [ ! -f $LOG/netstat.today ]; then + [ $rc -lt 1 ] && rc=1 + separator + echo "No $LOG/netstat.today" + cp $TMP $LOG/netstat.today || rc=3 + fi + if ! cmp $LOG/netstat.today $TMP >/dev/null 2>&1; then + [ $rc -lt 1 ] && rc=1 + separator + echo "$host changes in listening ports:" + diff -b $LOG/netstat.today $TMP + mv $LOG/netstat.today $LOG/netstat.yesterday || rc=3 + mv $TMP $LOG/netstat.today || rc=3 + fi +fi + # Show denied packets # if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then --Kj7319i9nmIyA2yE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message