Problem with someone port scanning me
Jez Hancock
jez.hancock at munk.nu
Thu Feb 12 08:43:19 PST 2004
On Thu, Feb 12, 2004 at 11:12:53AM -0500, Dragoncrest wrote:
> For the past couple of days I've had someone on our lan port
> scanning my box. Not sure what's up with that, but I'm curious if there's
> a way to log what IP address this is coming from. I don't have IPFW
> enabled yet as I haven't had the time to configure it at this point as it's
> currently behind the company firewall on our T3. Is there a way to log
> where it's coming from? Or is that already being logged somewhere?
As a temporary measure you could always enable 'log_in_vain' via sysctl:
sysctl net.inet.tcp.log_in_vain=1
sysctl net.inet.udp.log_in_vain=1
adding:
log_in_vain="YES"
to /etc/rc.conf if you want this functionality to be enabled at boot
time. This configures the freebsd kernel to log any connection attempts
made via udp or tcp to ports that are not open (ie log connection
attempts made in vain).
You'd then want to make sure syslogd is configured to log the info to a
file:
kernel.debug /var/log/kern_debug.log
although this will probably dump a lot of other stuff to
/var/log/kern_debug.log as well - see syslog(8) and syslog(5)
for more info on configuring syslog - or google for:
sysctl log_in_vain syslog.conf
:P
Note also importantly - log_in_vain is a _very_ poor substitute for a
firewall for logging this kind of info.
HTH
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
http://jez.hancock-family.com/ - Another FreeBSD Diary
http://ipfwstats.sf.net/ - ipfw peruser traffic logging
More information about the freebsd-questions
mailing list