From owner-freebsd-hackers Wed Sep 12 11:23:39 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from magnesium.net (toxic.magnesium.net [207.154.84.15]) by hub.freebsd.org (Postfix) with SMTP id 1017C37B401 for ; Wed, 12 Sep 2001 11:23:26 -0700 (PDT) Received: (qmail 24146 invoked by uid 1001); 12 Sep 2001 18:23:24 -0000 Date: 12 Sep 2001 11:23:24 -0700 Date: Wed, 12 Sep 2001 11:23:24 -0700 From: Bill Swingle To: Giorgos Keramidas Cc: hackers@freebsd.org Subject: Re: Checking changes to listening ports in /etc/security Message-ID: <20010912112324.A24009@dub.net> References: <20010912205743.A64992@hades.hell.gr> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010912205743.A64992@hades.hell.gr>; from charon@labs.gr on Wed, Sep 12, 2001 at 08:57:43PM +0300 X-Operating-System: FreeBSD toxic.magnesium.net 4.3-STABLE FreeBSD 4.3-STABLE Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Why not use sockstat instead of netstat? -Bill On Wed, Sep 12, 2001 at 08:57:43PM +0300, Giorgos Keramidas wrote: >=20 > I've been adding an extra check in my local version of /etc/security for = quite > some time now. All it does is use 'netstat' to grab a list of the listen= ing > tcp and udp ports of my machine and save it to /var/log/netstat.today > (and /var/log/netstat.yesterday). This way, when some service starts > and listens on a new port the next run of /etc/security will log the > fact in the usual stuff sent to root by mail. I tested this running > /etc/periodic/daily/450.security twice, and running a local IRC daemon be= tween > the two runs. The output that is added to the message root receives looks > like the following: >=20 > hades.hell.gr changes in listening ports: > 4a5,6 > > tcp4 0 0 *.6667 *.* = LISTEN > > tcp4 0 0 *.7325 *.* = LISTEN > 7a10 > > udp4 0 0 *.* *.* = =20 > 10a14 > > udp4 0 0 *.7007 *.* = =20 >=20 > Does the attached patch below seem interesting to anyone else, too? > Should I send-pr it, or just keep merging it with my own security checks, > and leave things as they are? >=20 > -giorgos > Index: security > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/etc/security,v > retrieving revision 1.55 > diff -u -r1.55 security > --- security 4 Jul 2001 12:49:17 -0000 1.55 > +++ security 12 Sep 2001 17:25:53 -0000 > @@ -128,6 +128,26 @@ > tee /dev/stderr | wc -l) > [ $n -gt 0 -a $rc -lt 1 ] && rc=3D1 > =20 > +# Show changes in listening tcp and udp ports: > +# > +[ -n "$ignore" ] && cmd=3D"egrep -v ${ignore#|}" || cmd=3Dcat > +if ( netstat -natl | grep LISTEN | sort ; echo "--"; netstat -na | grep = '^udp' | sort ) | $cmd > $TMP; then > + if [ ! -f $LOG/netstat.today ]; then > + [ $rc -lt 1 ] && rc=3D1 > + separator > + echo "No $LOG/netstat.today" > + cp $TMP $LOG/netstat.today || rc=3D3 > + fi > + if ! cmp $LOG/netstat.today $TMP >/dev/null 2>&1; then > + [ $rc -lt 1 ] && rc=3D1 > + separator > + echo "$host changes in listening ports:" > + diff -b $LOG/netstat.today $TMP > + mv $LOG/netstat.today $LOG/netstat.yesterday || rc=3D3 > + mv $TMP $LOG/netstat.today || rc=3D3 > + fi > +fi > + > # Show denied packets > # > if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then --=20 -=3D| Bill Swingle - -=3D| Every message PGP signed -=3D| Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 -=3D| Different all twisty a of in maze are you, passages little --SUOF0GtieIMvvwua Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7n6gcUgAclY4JAiMRAlf9AKDBFY4pmdNx82xTRla3ZOMBcGjNFACdHDEQ dhIGKjE9v04YfZEGne4MqhM= =cQxp -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message