Re: Logging unserved ports

Glynn Clements (glynn@sensei.co.uk)
Tue, 8 Dec 1998 23:40:49 +0000 (GMT)


David F. Newman wrote:

> The TIS gauntlet firewall modifies the BSDi kernel
> so that when packets are received on unserved ports the
> kernel logs a security alert via syslog. That way you
> don't have to be actively scanning the network for port
> scans and can just scan your syslog instead. I looked
> through the Linux security HOWTO and couldn't find any
> mention of this. Is this possible with the Linux kernel?

You can use ipfwadm/ipchains to tell the kernel that all packets which
match a particular rule are to be logged (this requires that the
kernel was compiled with CONFIG_IP_FIREWALL, and for 2.0.*,
CONFIG_IP_FIREWALL_VERBOSE also).

-- 
Glynn Clements <glynn@sensei.co.uk>

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/