From owner-freebsd-hackers Wed Sep 12 15:15:25 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 078FD37B403 for ; Wed, 12 Sep 2001 15:15:20 -0700 (PDT) Received: from hades.hell.gr (patr530-b016.otenet.gr [195.167.121.144]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f8CMFGx12359; Thu, 13 Sep 2001 01:15:16 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f8CMEbC02003; Thu, 13 Sep 2001 01:14:37 +0300 (EEST) (envelope-from charon@labs.gr) Date: Thu, 13 Sep 2001 01:14:37 +0300 From: Giorgos Keramidas To: Bill Swingle Cc: hackers@freebsd.org Subject: Re: Checking changes to listening ports in /etc/security Message-ID: <20010913011436.A1792@hades.hell.gr> References: <20010912205743.A64992@hades.hell.gr> <20010912112324.A24009@dub.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="BQPnanjtCNWHyqYD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010912112324.A24009@dub.net>; from unfurl@dub.net on Wed, Sep 12, 2001 at 11:23:24AM -0700 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --BQPnanjtCNWHyqYD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable From: Bill Swingle Subject: Re: Checking changes to listening ports in /etc/security Date: Wed, Sep 12, 2001 at 11:23:24AM -0700 > Why not use sockstat instead of netstat? >=20 > -Bill Simple. Because I had forgotten of sockstat. Probably because I've been using netstat on linuxen, solaris, and everywhere else. Now that I tried sockstat, I changed my /etc/security to remove netstat and include a sockstat using part. I tested the attached patch, and now I have only one little fine point to refine. When the sockstat test runs, Sendmail will open connections to comsat (if that's enabled in the local sendmail.cf). If I keep the included 'grep -v comsat' it will not print extra lines for comsat connections. However, if someone else opens a udp listening socket = on comsat port, it will not be detected by diff. On the other hand, leaving t= he grep -v out, might cause false alarms to be brought up in security output. I tend to prefer the one that includes comsat in the output[2]. The second attachment shows what the output of /etc/security looks like (wi= th the comsat output lines included). I rather like the idea about sockstat. Thank you, Bill. We now might just have a version that is good enough for a PR. Any comments on the sockstat-using diffs, Bill (or anyone else)? -giorgos --BQPnanjtCNWHyqYD Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=patch-ab Index: security =================================================================== RCS file: /home/ncvs/src/etc/security,v retrieving revision 1.55 diff -u -r1.55 security --- security 4 Jul 2001 12:49:17 -0000 1.55 +++ security 12 Sep 2001 22:00:50 -0000 @@ -128,6 +128,28 @@ tee /dev/stderr | wc -l) [ $n -gt 0 -a $rc -lt 1 ] && rc=1 +# Show changes in listening tcp and udp ports: +# +[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat +if ( sockstat -l46 | head -1 ;\ + sockstat -l46 | grep -v comsat | grep -v '^$' |\ + grep -v '^USER' | sort +5 ) | $cmd > $TMP ;then + if [ ! -f $LOG/sockstat.today ]; then + [ $rc -lt 1 ] && rc=1 + separator + echo "No $LOG/sockstat.today" + cp $TMP $LOG/sockstat.today || rc=3 + fi + if ! cmp $LOG/sockstat.today $TMP >/dev/null 2>&1; then + [ $rc -lt 1 ] && rc=1 + separator + echo "$host changes in listening ports:" + diff -b $LOG/sockstat.today $TMP + mv $LOG/sockstat.today $LOG/sockstat.yesterday || rc=3 + mv $TMP $LOG/sockstat.today || rc=3 + fi +fi + # Show denied packets # if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then --BQPnanjtCNWHyqYD Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=lala hades.hell.gr changes in listening ports: 7a8,10 > tty comsat 1504 0 udp4 *:512 *:* > tty comsat 1504 1 udp4 *:512 *:* > tty comsat 1504 2 udp4 *:512 *:* --BQPnanjtCNWHyqYD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message