Date: Fri, 14 Sep 2001 11:11:10 +0800 From: Igor Podlesny <poige@morning.ru> To: Giorgos Keramidas <charon@labs.gr> Cc: Brian Somers <brian@freebsd-services.com>, hackers@FreeBSD.ORG Subject: Re[2]: Checking changes to listening ports in /etc/security Message-ID: <22226074908.20010914111110@morning.ru> In-Reply-To: <20010914015203.A43352@hades.hell.gr> References: <charon@labs.gr> <200109132125.f8DLP2d97096@hak.lan.Awfulhak.org> <20010914015203.A43352@hades.hell.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello!
I've done similar thing by myself also, cause I have been working with
some Linux distros, where it is an usual thing (I mean detection of
any listeners changes) and I consider this is useful.
But, the idea is slightly different -- my code is being called every
minute (cron). It then compares the previous situation and in case of
any changes reports about it via e-mail to the root. Actually, the
code is quite raw/poor in meaning of its abilities.. for e.g., report
with syslog also could have place. Another thing to change is using
sort(1)|comm(1) instead of diff(1) cause sometimes the only thing
changed is the location of strings in sockstat(1) 's output... Up till
now I haven't rewritten it (it works :-) and a lack of time, alas) --
here it is:
======================================================================
#!/bin/sh
prevsf=/var/spool/prevsockstat
nowsf=/var/spool/nowsockstat
if ! [ -e $prevsf ]; then
nowsf=$prevsf
fi
sockstat -f inet -an|grep LISTEN > $nowsf
if ! diff $nowsf $prevsf 2>/dev/null 1>&2 ; then
hostname=`hostname`
mail -s "$hostname listeners changed!" root <<__TEXT__
Date: `date`
the difference:
----------------------X-8----------------------------------
`diff $prevsf $nowsf 2>&1 `
----------------------X-8----------------------------------
the sockstat output:
`sockstat -4`
__TEXT__
mv -f $nowsf $prevsf
fi
======================================================================
As you can see there are lots of places where it could be improved. :)
MYBR!
> From: Brian Somers <brian@freebsd-services.com>
> Subject: Re: Checking changes to listening ports in /etc/security
> Date: Thu, Sep 13, 2001 at 10:25:02PM +0100
>> I like this idea. I think It would be worth making it diff against
>> /dev/null when netstat.today doesn't exist, so that the first time
>> this is run on a given machine, you get to see all the ports that are
>> open.
> Done. I duplicated the code of the second if[] since I could not easily come
> up with a version that does not use some kind of shell variable weirdness
> and still work the same way. I prefer to keep this clean and easy to
> understand. The attached patch makes /dev/null the first argument of diff
> when sockstat.today does not exist.
>> [.....]
>> +[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
>> [.....]
>>
>> I think this like is bogus. In fact, it looks like the
>> $daily_status_security_noamd periodic.conf tunable is broken.
>>
>> Oops ! I'll fix it after your changes go in.
> So far, two people like the change. Since I can't help in making the change
> go in, I trust that after checking I did not break anything that I missed in
> my tests, you'll either give me a 'go ahead' to send-pr or just commit this
> yourself?
> -giorgos
--
Igor mailto:poige@morning.ru
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?22226074908.20010914111110>