From owner-freebsd-net Thu Sep 23 8:16:47 1999 Delivered-To: freebsd-net@freebsd.org Received: from charon.npc.net (charon.npc.net [199.15.61.3]) by hub.freebsd.org (Postfix) with ESMTP id 918C514E2C; Thu, 23 Sep 1999 08:16:37 -0700 (PDT) (envelope-from mjung@npc.net) Received: from exchange.finall.com (exchange [10.0.158.37]) by charon.npc.net (8.9.3/8.8.8) with SMTP id LAA00882; Thu, 23 Sep 1999 11:14:53 -0400 (EDT) (envelope-from mjung@npc.net) Received: by exchange.finall.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.996.62) id <01BF05B5.06A2B850@exchange.finall.com>; Thu, 23 Sep 1999 11:16:04 -0400 Message-ID: From: "Jung, Michael" To: "'Chris Shenton'" , "'freebsd-net@FreeBSD.ORG'" Cc: "'freebsd-security@FreeBSD.ORG'" Subject: RE: Inetd -l: log *all* connection attempts (not just valid svcs) Date: Thu, 23 Sep 1999 11:16:03 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.996.62 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sysctl -w net.inet.udp.log_in_vain=1 sysctl -w net.inet.tcp.log_in_vain=1 will give you (root@charon) /home/mikej/mount$grep Connection /var/log/debug Sep 23 11:00:26 charon /kernel: Connection attempt to UDP 127.0.0.1:4456 from 127.0.0.1:53 Sep 23 11:00:53 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 Sep 23 11:00:57 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 Sep 23 11:01:58 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 Sep 23 11:02:03 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 Sep 23 11:03:04 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 Sep 23 11:03:08 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 Sep 23 11:03:20 charon /kernel: Connection attempt to UDP 127.0.0.1:137 from 127.0.0.1:4250 Sep 23 11:04:14 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 Sep 23 11:04:16 charon /kernel: Connection attempt to UDP 127.0.0.1:137 from 127.0.0.1:2554 Sep 23 11:04:19 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 Sep 23 11:05:19 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 Sep 23 11:05:25 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 Sep 23 11:06:23 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 Sep 23 11:06:23 charon /kernel: Connection attempt to UDP 127.0.0.1:137 from 127.0.0.1:4561 Sep 23 11:06:27 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 Sep 23 11:07:28 charon /kernel: Connection attempt to UDP 10.0.158.10:161 from 10.0.158.28:1063 --mikej >-----Original Message----- >From: Chris Shenton [SMTP:cshenton@uucom.com] >Sent: Thursday, September 23, 1999 11:04 AM >To: freebsd-net@FreeBSD.ORG >Cc: freebsd-security@FreeBSD.ORG >Subject: Inetd -l: log *all* connection attempts (not just valid svcs) > >FreeBSD-3.2 inetd has a "-l" flag which logs all attempts: > > If the -l option is specified, all connection attempts are logged, > whether they are allowed, denied or not wrapped at all. Otherwise, only > denied requests will be logged. > >but I gather it only logs attempts for ports which inetd.conf has >configured for services. > >I'd like a way to log *all* network connection attempts, especially >attempts to services which aren't defined. This would allow me to spot >people scanning my host (where only a few services are enabled). > >Perhaps inetd isn't the right place to do this since it has no >awareness of other services which might be running (e.g., httpd on >port 80). Is this true? Or can inetd be bound to all unused ports to >log attempts? > >If not I suppose the logical conclusion would be to run ipfw or >ipfil... certainly doable, but not as trivial for users to enable as >turning on an inetd flag. Suggestions? > >Thanks. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message