From owner-freebsd-net Thu Sep 23 8: 5:32 1999 Delivered-To: freebsd-net@freebsd.org Received: from Samizdat.uucom.com (samizdat.uucom.com [198.202.217.54]) by hub.freebsd.org (Postfix) with ESMTP id B3ECE14F33; Thu, 23 Sep 1999 08:05:28 -0700 (PDT) (envelope-from cshenton@uucom.com) Received: (from cshenton@localhost) by Samizdat.uucom.com (8.9.3/8.9.3) id LAA28407; Thu, 23 Sep 1999 11:03:59 -0400 (EDT) To: freebsd-net@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Inetd -l: log *all* connection attempts (not just valid svcs) User-Agent: SEMI/1.13.3 (Komaiko) FLIM/1.12.5 (Hirahata) Emacs/20.3 (i386-pc-solaris2.7) MULE/4.0 (HANANOEN) MIME-Version: 1.0 (generated by SEMI 1.13.3 - "Komaiko") Content-Type: text/plain; charset=US-ASCII From: Chris Shenton Date: 23 Sep 1999 11:03:59 -0400 In-Reply-To: Pierre Beyssac's message of "Thu, 23 Sep 1999 10:51:31 +0200" Message-ID: Lines: 23 X-Mailer: Gnus v5.6.45/Emacs 20.3 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD-3.2 inetd has a "-l" flag which logs all attempts: If the -l option is specified, all connection attempts are logged, whether they are allowed, denied or not wrapped at all. Otherwise, only denied requests will be logged. but I gather it only logs attempts for ports which inetd.conf has configured for services. I'd like a way to log *all* network connection attempts, especially attempts to services which aren't defined. This would allow me to spot people scanning my host (where only a few services are enabled). Perhaps inetd isn't the right place to do this since it has no awareness of other services which might be running (e.g., httpd on port 80). Is this true? Or can inetd be bound to all unused ports to log attempts? If not I suppose the logical conclusion would be to run ipfw or ipfil... certainly doable, but not as trivial for users to enable as turning on an inetd flag. Suggestions? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message