Date: Tue, 25 May 1999 12:13:26 +1000 (EST) From: Warren Toomey <wkt@henry.cs.adfa.edu.au> To: freebsd-security@FreeBSD.ORG Subject: TCP connect data logger Message-ID: <199905250213.MAA02815@henry.cs.adfa.edu.au>
next in thread | raw e-mail | index | archive | help
This is strictly off-topic for FreeBSD, but anyway ... A few people desired to know why someone was attacking port X on their box. Ages ago, I wrote a small program, tcpsuck, that is run from inetd. Tcpsuck sits on a port and logs the data coming in. It stops after a pre-defined timeout, or when the remote end break the connection. This can help you to determine what they are looking for. It also slows TCP port strobe attacks, too :-) Here is where I use it on my system: bootserver stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck cisco-tna stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck exec stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck cmd stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck nicname stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck pop2 stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck pop3 stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck imap2 stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck supdup stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck systat stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck tcpmux stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck login stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck shell stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck I also wrote a udpsuck program for UDP ports, but current FreeBSD versions have UDP packet logging built-in. Anybody interested in tcpsuck? Warren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905250213.MAA02815>