Re: [leaf-user] Logging question.

Tue, 29 Oct 2002 11:39:55 -0800 

First I thought: Log tcp packets that have the SYN flag set.
                 The SYN flag is only set on the very first
                 packet of a new connection from the outside.

   But you said you want to log everything that
   hits your external interface, not just new
   incoming connections.   So maybe write a filtering
   script  that listens on a socket for log file entries
   and filters them if they are the "body".  You can
   set up a listener via inetd and send the traffic to a
   shell script.  Not sure how to get the logging data
   over there, but syslogd.conf sounds like a place to
   start.  If you want to see a similar example, look at
   sh-httpd, or look at the FAQ entry I wrote for UnixWare7:

Good Luck,
matthew



=====================================================
10.7) How do I catch someone trying to port scan my Uw7 host?

The curious out there like to scan the ports of publicly available
computers. At times they are trying to attack your system, and you
can run a dummy service on an unused port that'll send root some
email if someone tries to connect to it.

   Let's call the new service we are going to create 'probe.'
   Let's have probe run on port 999, which is unused.
   Let's make a batch file that probe runs called 'etcprobe.'
   Probe will be added with an entry in /etc/services.
   Probe will be started with an entry in /etc/inet/inetd.conf.
   Etcprobe will be stored in /usr/local/bin.

       /usr/local/bin/etcprobe
  +-------------------------------------------------------------------
  | #!/bin/sh
  | netstat -an | grep 999 | grep ESTAB | mail -s "Probe Alert!!" root
  |

        /etc/services
  +------------------------------
  |  ...
  |  ...
  |  probe     999/tcp
  |  ...

        /etc/inet/inetd.conf
  +----------------------------------------------------------------------
  | ...
  | probe  stream  tcp  nowait  root  /usr/local/bin/etcprobe   probe
  |

Now apply the changes made to inetd.conf with the kill command. Test that
probe is working by trying to telnet to port 999. You'll get mail to root
in a few seconds.
===========================================================================



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to