Date: Thu, 13 Sep 2001 01:14:37 +0300 From: Giorgos Keramidas <charon@labs.gr> To: Bill Swingle <unfurl@dub.net> Cc: hackers@freebsd.org Subject: Re: Checking changes to listening ports in /etc/security Message-ID: <20010913011436.A1792@hades.hell.gr> In-Reply-To: <20010912112324.A24009@dub.net>; from unfurl@dub.net on Wed, Sep 12, 2001 at 11:23:24AM -0700 References: <20010912205743.A64992@hades.hell.gr> <20010912112324.A24009@dub.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--BQPnanjtCNWHyqYD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
From: Bill Swingle <unfurl@dub.net>
Subject: Re: Checking changes to listening ports in /etc/security
Date: Wed, Sep 12, 2001 at 11:23:24AM -0700
> Why not use sockstat instead of netstat?
>=20
> -Bill
Simple. Because I had forgotten of sockstat. Probably because I've been
using netstat on linuxen, solaris, and everywhere else.
Now that I tried sockstat, I changed my /etc/security to remove netstat
and include a sockstat using part. I tested the attached patch, and now
I have only one little fine point to refine. When the sockstat test runs,
Sendmail will open connections to comsat (if that's enabled in the local
sendmail.cf).
If I keep the included 'grep -v comsat' it will not print extra lines for
comsat connections. However, if someone else opens a udp listening socket =
on
comsat port, it will not be detected by diff. On the other hand, leaving t=
he
grep -v out, might cause false alarms to be brought up in security output.
I tend to prefer the one that includes comsat in the output[2].
The second attachment shows what the output of /etc/security looks like (wi=
th
the comsat output lines included).
I rather like the idea about sockstat. Thank you, Bill.
We now might just have a version that is good enough for a PR.
Any comments on the sockstat-using diffs, Bill (or anyone else)?
-giorgos
--BQPnanjtCNWHyqYD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=patch-ab
Index: security
===================================================================
RCS file: /home/ncvs/src/etc/security,v
retrieving revision 1.55
diff -u -r1.55 security
--- security 4 Jul 2001 12:49:17 -0000 1.55
+++ security 12 Sep 2001 22:00:50 -0000
@@ -128,6 +128,28 @@
tee /dev/stderr | wc -l)
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
+# Show changes in listening tcp and udp ports:
+#
+[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
+if ( sockstat -l46 | head -1 ;\
+ sockstat -l46 | grep -v comsat | grep -v '^$' |\
+ grep -v '^USER' | sort +5 ) | $cmd > $TMP ;then
+ if [ ! -f $LOG/sockstat.today ]; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "No $LOG/sockstat.today"
+ cp $TMP $LOG/sockstat.today || rc=3
+ fi
+ if ! cmp $LOG/sockstat.today $TMP >/dev/null 2>&1; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "$host changes in listening ports:"
+ diff -b $LOG/sockstat.today $TMP
+ mv $LOG/sockstat.today $LOG/sockstat.yesterday || rc=3
+ mv $TMP $LOG/sockstat.today || rc=3
+ fi
+fi
+
# Show denied packets
#
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
--BQPnanjtCNWHyqYD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=lala
hades.hell.gr changes in listening ports:
7a8,10
> tty comsat 1504 0 udp4 *:512 *:*
> tty comsat 1504 1 udp4 *:512 *:*
> tty comsat 1504 2 udp4 *:512 *:*
--BQPnanjtCNWHyqYD--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010913011436.A1792>