FW: monitor ALL connections to ALL ports

From: Maildrop (maildrop@qwest.net)
Date: 10/14/02 

Date: Mon, 14 Oct 2002 14:31:05 -0500
From: "Maildrop" <maildrop@qwest.net>
To: freebsd-security@freebsd.org

I put these rule in:

ipfw add count log all from any to any

I am getting messages in my log (/var/log/all.log) that appears like this:
Oct 14 14:15:06 hydra /kernel: Connection attempt to UDP 192.168.17.1:161
from 192.168.17.1:1166

Which is exactly, what I want, but there is a couple isses:

1) It only logs "failed" connects. If I try to `telnet localhost 55`, it
will log that, but if I do a `telnet locahost 80` (where web server is
running) the connection is valid and doesn't log it.

2) How do I setup Syslog for this? ipfw man page says it logs to
LOG_SECURITY facility. I want to log all connections (failed or not), into
one file..

This is what I currently have in my syslogd.conf file (the log above I am
pulling from all.log):

security.* /var/log/security
log.security /var/log/ipfw.log

Both these files are empty :( I restarted syslogd.

Regads,
Jack

> -----Original Message-----
> From: owner-freebsd-security@FreeBSD.ORG
> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Dragan Mickovic
> Sent: Saturday, October 12, 2002 9:41 AM
> To: Maildrop
> Cc: freebsd-security@freebsd.org
> Subject: Re: monitor ALL connections to ALL ports
>
>
> You can just put IPFilter with a default rule to pass and log. By default
> it will log src,dst,port,len .. ie:
>
> Sep 22 19:39:20 server_name ipmon[84]: 19:39:20.251359 fxp0 @0:20
> b 192.168.1.20,137 -> 192.168.1.255,137 PR udp len 20 78 IN
>
>
> micko
>
> On Sat, Oct 12, 2002 at 12:17:42AM -0500, Maildrop wrote:
> >
> > I currently have a DSL line and a FreeBSD firewall/gateway
> (dual homed). It
> > has one internal IP address and 5 external IP address (one
> "real" ip and 4
> > alaises on same external nic).
> >
> > What I want to do is montior and record (to log) all incoming/outging
> > connection (just source ip/dest ip/port). If someone connects to my web
> > server it should log what ip accessed it, the time, which ip (web server
> > runs on 2 external ip address) and the port. Also if someone
> does a port
> > scan against the box I should be able to tell it is a port scan
> (since one
> > ip address would be opening up a bunch of ports).
> >
> > Right now I don't care what data is being sent/received, just what
> > connections are being made (and the details about those connections).
> >
> > Any suggestions?
> >
> > Regards,
> > Jack
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
> --
> Dragan Mickovic
> UNIX Systems Administrator
> NTT/Verio x.4012
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • RE: continued IPFW issues... (actually a lack of ability on my part)
    ... > I'm still having some sort of issues with ipfw rules on my server. ... When a connection is made to port 80 from an external host, ... host for the given action (inbound connections to port 80 in this case). ...
    (freebsd-questions)
  • RE: monitor ALL connections to ALL ports
    ... Logging incoming web server connections can be done ... runs on 2 external ip address) and the port. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: port 80 open?
    ... > machine to see if you have a program that is listening on that port. ... > intercepting incoming connections to prevent you from running a web server. ... > other security programs but normally shouldn't unless you don't want to be ...
    (microsoft.public.windowsxp.security_admin)
  • Re: port 80 open?
    ... you can get a tool like nis or zonealarm that will block those ... on port 80, but even if you aren't you should really have a firewall. ... >> intercepting incoming connections to prevent you from running a web ... >> this is different from you connecting out to a web server, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: monitor ALL connections to ALL ports
    ... > which ip (web server ... > runs on 2 external ip address) and the port. ... > connections are being made (and the details about ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)