Re: Logging unserved ports

Andi Kleen (ak@muc.de)
Wed, 9 Dec 1998 07:02:31 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tim Timmerman: "Screen FUBAR in Quake ( Was Re: SB sound FUBAR in Quake2)"
Previous message: Robert Minichino: "[PATCH] modify console_loglevel from commandline"

In muc.lists.linux-kernel, you wrote:
>Hi,
> The TIS gauntlet firewall modifies the BSDi kernel
>so that when packets are received on unserved ports the
>kernel logs a security alert via syslog. That way you
>don't have to be actively scanning the network for port
>scans and can just scan your syslog instead. I looked
>through the Linux security HOWTO and couldn't find any
>mention of this. Is this possible with the Linux kernel?

Sure. Just add a logging firewall rule for the unused port range(s)
But be careful, the standard firewall does no load limiting for
firewall logs, so an attacker might easily fill up your logging
disk.

-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tim Timmerman: "Screen FUBAR in Quake ( Was Re: SB sound FUBAR in Quake2)"
Previous message: Robert Minichino: "[PATCH] modify console_loglevel from commandline"