Date: Thu, 13 Sep 2001 22:25:02 +0100 From: Brian Somers <brian@freebsd-services.com> To: Giorgos Keramidas <charon@labs.gr> Cc: hackers@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: Checking changes to listening ports in /etc/security Message-ID: <200109132125.f8DLP2d97096@hak.lan.Awfulhak.org> In-Reply-To: Message from Giorgos Keramidas <charon@labs.gr> of "Wed, 12 Sep 2001 20:57:43 %2B0300." <20010912205743.A64992@hades.hell.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
> I've been adding an extra check in my local version of /etc/security for quite
> some time now. All it does is use 'netstat' to grab a list of the listening
> tcp and udp ports of my machine and save it to /var/log/netstat.today
> (and /var/log/netstat.yesterday). This way, when some service starts
> and listens on a new port the next run of /etc/security will log the
> fact in the usual stuff sent to root by mail. I tested this running
> /etc/periodic/daily/450.security twice, and running a local IRC daemon between
> the two runs. The output that is added to the message root receives looks
> like the following:
[.....]
I like this idea. I think It would be worth making it diff against
/dev/null when netstat.today doesn't exist, so that the first time
this is run on a given machine, you get to see all the ports that are
open.
[.....]
+[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
[.....]
I think this like is bogus. In fact, it looks like the
$daily_status_security_noamd periodic.conf tunable is broken.
Oops ! I'll fix it after your changes go in.
--
Brian <brian@freebsd-services.com> <brian@Awfulhak.org>
http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109132125.f8DLP2d97096>