Date: Wed, 12 Sep 2001 11:23:24 -0700 From: Bill Swingle <unfurl@dub.net> To: Giorgos Keramidas <charon@labs.gr> Cc: hackers@freebsd.org Subject: Re: Checking changes to listening ports in /etc/security Message-ID: <20010912112324.A24009@dub.net> In-Reply-To: <20010912205743.A64992@hades.hell.gr>; from charon@labs.gr on Wed, Sep 12, 2001 at 08:57:43PM %2B0300 References: <20010912205743.A64992@hades.hell.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Why not use sockstat instead of netstat?
-Bill
On Wed, Sep 12, 2001 at 08:57:43PM +0300, Giorgos Keramidas wrote:
>=20
> I've been adding an extra check in my local version of /etc/security for =
quite
> some time now. All it does is use 'netstat' to grab a list of the listen=
ing
> tcp and udp ports of my machine and save it to /var/log/netstat.today
> (and /var/log/netstat.yesterday). This way, when some service starts
> and listens on a new port the next run of /etc/security will log the
> fact in the usual stuff sent to root by mail. I tested this running
> /etc/periodic/daily/450.security twice, and running a local IRC daemon be=
tween
> the two runs. The output that is added to the message root receives looks
> like the following:
>=20
> hades.hell.gr changes in listening ports:
> 4a5,6
> > tcp4 0 0 *.6667 *.* =
LISTEN
> > tcp4 0 0 *.7325 *.* =
LISTEN
> 7a10
> > udp4 0 0 *.* *.* =
=20
> 10a14
> > udp4 0 0 *.7007 *.* =
=20
>=20
> Does the attached patch below seem interesting to anyone else, too?
> Should I send-pr it, or just keep merging it with my own security checks,
> and leave things as they are?
>=20
> -giorgos
> Index: security
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /home/ncvs/src/etc/security,v
> retrieving revision 1.55
> diff -u -r1.55 security
> --- security 4 Jul 2001 12:49:17 -0000 1.55
> +++ security 12 Sep 2001 17:25:53 -0000
> @@ -128,6 +128,26 @@
> tee /dev/stderr | wc -l)
> [ $n -gt 0 -a $rc -lt 1 ] && rc=3D1
> =20
> +# Show changes in listening tcp and udp ports:
> +#
> +[ -n "$ignore" ] && cmd=3D"egrep -v ${ignore#|}" || cmd=3Dcat
> +if ( netstat -natl | grep LISTEN | sort ; echo "--"; netstat -na | grep =
'^udp' | sort ) | $cmd > $TMP; then
> + if [ ! -f $LOG/netstat.today ]; then
> + [ $rc -lt 1 ] && rc=3D1
> + separator
> + echo "No $LOG/netstat.today"
> + cp $TMP $LOG/netstat.today || rc=3D3
> + fi
> + if ! cmp $LOG/netstat.today $TMP >/dev/null 2>&1; then
> + [ $rc -lt 1 ] && rc=3D1
> + separator
> + echo "$host changes in listening ports:"
> + diff -b $LOG/netstat.today $TMP
> + mv $LOG/netstat.today $LOG/netstat.yesterday || rc=3D3
> + mv $TMP $LOG/netstat.today || rc=3D3
> + fi
> +fi
> +
> # Show denied packets
> #
> if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
--=20
-=3D| Bill Swingle - <unfurl@(dub.net|freebsd.org)>
-=3D| Every message PGP signed
-=3D| Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223
-=3D| Different all twisty a of in maze are you, passages little
--SUOF0GtieIMvvwua
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7n6gcUgAclY4JAiMRAlf9AKDBFY4pmdNx82xTRla3ZOMBcGjNFACdHDEQ
dhIGKjE9v04YfZEGne4MqhM=
=cQxp
-----END PGP SIGNATURE-----
--SUOF0GtieIMvvwua--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010912112324.A24009>