OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter C. Lai (sirmoo_at_cowbert.2y.net)
Date: Mon Feb 24 2003 - 20:35:22 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    One way to do this is to stop using log_in_vain, and switch to a packet filter.
    There, you can selectively log for connections to everything except 53.
    (i.e. in ipfw, have the deny from any to any rule logged, so that everythign
    that isn't allowed would get logged, which would effectively be everything
    closed).
    The other way would be to postprocess your syslog and strip out attempted connections
    to port 53.

    On Mon, Feb 24, 2003 at 09:23:56PM -0500, Alexander Anderson wrote:
    > > > > > Connection attempt to UDP <our-ip>:<port-above-1024> from
    > > > > > <ip-addr-in-resolv.conf>:53
    > >
    > > You must have enabled log_in_vain in your rc.conf, right?
    >
    > Yes, right.
    >
    > And I want to have it enabled because I do want to log all connection
    > attempts to ports that have no listening socket on them. The only exception
    > is when my ISP's name servers are slow or overloaded, and when they reply,
    > the local port is already closed, then I don't want to log their replies in
    > vain.
    >
    > To Unsubscribe: send mail to majordomoFreeBSD.org
    > with "unsubscribe freebsd-security" in the body of the message

    -- 
    Peter C. Lai
    University of Connecticut
    Dept. of Molecular and Cell Biology
    Yale University School of Medicine
    SenseLab | Research Assistant
    http://cowbert.2y.net/
    

    To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message