From owner-freebsd-net Thu Sep 23 12:58:24 1999 Delivered-To: freebsd-net@freebsd.org Received: from pau-amma.whistle.com (pau-amma.whistle.com [207.76.205.64]) by hub.freebsd.org (Postfix) with ESMTP id C5ED415903; Thu, 23 Sep 1999 12:58:20 -0700 (PDT) (envelope-from dhw@whistle.com) Received: (from dhw@localhost) by pau-amma.whistle.com (8.9.2/8.9.2) id MAA00728; Thu, 23 Sep 1999 12:56:30 -0700 (PDT) Date: Thu, 23 Sep 1999 12:56:30 -0700 (PDT) From: David Wolfskill Message-Id: <199909231956.MAA00728@pau-amma.whistle.com> To: cshenton@uucom.com, freebsd-net@FreeBSD.ORG Subject: Re: Inetd -l: log *all* connection attempts (not just valid svcs) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From: Chris Shenton >Date: 23 Sep 1999 11:03:59 -0400 >FreeBSD-3.2 inetd has a "-l" flag which logs all attempts: >... >I'd like a way to log *all* network connection attempts, especially >attempts to services which aren't defined. This would allow me to spot >people scanning my host (where only a few services are enabled). >Perhaps inetd isn't the right place to do this since it has no >awareness of other services which might be running (e.g., httpd on >port 80). Is this true? Or can inetd be bound to all unused ports to >log attempts? Well, once you have (say) an SMTP server listening to TCP/25, any connection attempt to TCP/25 doesn't involve inetd any more. Sure, you can avoid that issue by instantiating the server in question once for each connection, but that sounds painful to me. >If not I suppose the logical conclusion would be to run ipfw or >ipfil... certainly doable, but not as trivial for users to enable as >turning on an inetd flag. Suggestions? For what it might be worth, when I set up my NAT/firewall box at home (for the DSL connection), in addition to logging all denied packets, I also set it up to log all passed "setup" TCP requests. And yes, I did this with ipfw. Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator voice: (650) 577-7158 pager: (888) 347-0197 FAX: (650) 372-5915 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message