Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Peter C. Lai (sirmoo_at_cowbert.2y.net)
Date: Mon Feb 24 2003 - 20:35:22 CST
One way to do this is to stop using log_in_vain, and switch to a packet filter.
There, you can selectively log for connections to everything except 53.
(i.e. in ipfw, have the deny from any to any rule logged, so that everythign
that isn't allowed would get logged, which would effectively be everything
The other way would be to postprocess your syslog and strip out attempted connections
to port 53.
On Mon, Feb 24, 2003 at 09:23:56PM -0500, Alexander Anderson wrote:
> > > > > Connection attempt to UDP <our-ip>:<port-above-1024> from
> > > > > <ip-addr-in-resolv.conf>:53
> > You must have enabled log_in_vain in your rc.conf, right?
> Yes, right.
> And I want to have it enabled because I do want to log all connection
> attempts to ports that have no listening socket on them. The only exception
> is when my ISP's name servers are slow or overloaded, and when they reply,
> the local port is already closed, then I don't want to log their replies in
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
-- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/
To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message