Re: Logging unserved ports

linux-kernel@progressive-comp.com
Tue, 8 Dec 1998 23:06:34 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dax Kelson: "Re: Linux login security approaches"
Previous message: Chris Wedgwood: "Re: Concurrent read/writes on the same file"
Maybe in reply to: David F. Newman: "Logging unserved ports"

On 1998-12-08, "David F. Newman" <buzzwang@agamemnon.ourvillage.com> wrote:

> The TIS gauntlet firewall modifies the BSDi kernel
> so that when packets are received on unserved ports the
> kernel logs a security alert via syslog. That way you
> don't have to be actively scanning the network for port
> scans and can just scan your syslog instead. I looked
> through the Linux security HOWTO and couldn't find any
> mention of this. Is this possible with the Linux kernel?

Actually I cloned this functionality in a kernel patch a while back, for
pretty much the same reason you're looking (got used to the TIS fw logging
of unserved ports, and missed it). I also added detection of bad/invalid
TCP flag combinations (such as RST+SYN, FIN+SYN, etc). It detects,
confuses, and/or defeats a number of stealth scanning or stack-
identification tools such as nmap, queso, etc. I make no claims that it's
perfect, or cleanly done (or that it works at all, for that matter ;).

Much of my "original" code is inspired by (and some lifted directly from :)
Jesse Off's ktcpd-strobemaster patch from a while ago, see:

http://www.progressive-comp.com/Lists/?l=bugtraq&m=90221104525839

...for his post about that.

My patches are against 2.0.35. Actually I have several things glommed
together - Solar Designer's secure-linux patches, add various other 2.0.35
patches I thought were important (security stuff mostly). Most all of them
are 'make config'-time options. You can find the patches, and read more
about them, at:

http://www.progressive-comp.com/~hlein/hap-linux/

Hank Leininger <hlein@progressive-comp.com>

P.S. Alan: I've thought for a while of pointing you to the above, to see
what you think. I'm sure you will find the code horrid, but I'm curious if
you like the idea. I don't see why some of the stuff - connections to
unserved ports, bad TCP flags, etc - couldn't go into the kernel if Done
Right[TM]. At least as CONFIG options and/or ip(fwadm|chains) rules.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dax Kelson: "Re: Linux login security approaches"
Previous message: Chris Wedgwood: "Re: Concurrent read/writes on the same file"
Maybe in reply to: David F. Newman: "Logging unserved ports"