Re: Logging unserved ports

Paul Rusty Russell (Paul.Russell@rustcorp.com.au)
Wed, 09 Dec 1998 14:15:24 +1130

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Paul Rusty Russell: "message queue changes in 2.1.131-ac5 (re: libc5) (fwd)"
Previous message: David Wragg: "Configuring a net if for BOOTP requests in 2.1?"
Maybe in reply to: David F. Newman: "Logging unserved ports"
Next in thread: linux-kernel@progressive-comp.com: "Re: Logging unserved ports"

In message <Pine.LNX.3.96.981208114528.25358A-100000@agamemnon.ourvillage.com>
you write:
> Hi,
> The TIS gauntlet firewall modifies the BSDi kernel
> so that when packets are received on unserved ports the
> kernel logs a security alert via syslog. That way you
> don't have to be actively scanning the network for port
> scans and can just scan your syslog instead. I looked
> through the Linux security HOWTO and couldn't find any
> mention of this. Is this possible with the Linux kernel?

By using a packet filter in sync with your servers (ie. allow only
those ports which you know have servers on them, and log everything
else), but not automatically.

It's not that hard to add in: it requires mods after `no_tcp_socket:'
in tcp_v4_rcv() from linux/kernel/net/ipv4/tcp_ipv4.c (for tcp), and
udp_rcv() from linux/kernel/net/ipv4/udp.c.

Hope that helps,
Rusty.

-- .sig lost in the mail.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Paul Rusty Russell: "message queue changes in 2.1.131-ac5 (re: libc5) (fwd)"
Previous message: David Wragg: "Configuring a net if for BOOTP requests in 2.1?"
Maybe in reply to: David F. Newman: "Logging unserved ports"
Next in thread: linux-kernel@progressive-comp.com: "Re: Logging unserved ports"