El 23 Jun 1997 13:33:22 +0200 Julio Sanchez <jsanchez @
esegi .
es> dijo:
> Dan .
Johansson @
commentor .
se (Dan Johansson) writes:
>
> >
> > Hi,
> >
> > Does anyone know a good (and hopfully simple) way
> > to monitor unused ports on a Bastion-host.
> >
> > i.e I wold like to know if someone is trying to
> > connect to a port on the Bastionhost that has
> > no daemon listening.
> >
> > I'm runing FWTK 2.0 on Linux 2.0.29.
>
>
> Sorry for answering so late, I am a little bit backlogged on some
> lists, but I thought you might find this useful:
In the last kernels of the 2.1.x series there is a feature called netlink
device that gives you an interface where the kernel sends the first 128 bytes
of every packet blocked by the firewall.IP: firewall packet netlink device
Here is the help for that option:
------------------ 8< ----------------------------
CONFIG_IP_FIREWALL_NETLINK
If you say Y here and when packets hit your Linux firewall and are
blocked, the first 128 bytes of each such packet are passed on to
optional user space monitoring software that can then look for
attacks and take actions such as paging the administrator of the
site. To use this, you need to create a character special file under
/dev with major number 36 and minor number 3 using mknod ("man
mknod"), and you need (to write) a program that reads from that
device and takes appropriate action.
--------------------------------------------------
You just have to write a program to decode such packets (tcpdump?)
CU!
------------------------------------------------------------------------
Miguel Armas del Rio kuko @
cic .
teleco .
ulpgc .
es
ETSI de Telecomunicaciones http://calvo.teleco.ulpgc.es/
Universidad de Las Palmas PGP public key available (11/1/97):
Spain finger kuko @
calvo .
teleco .
ulpgc .
es
------------------------------------------------------------------------
References:
|
|
