RE: [logs] TCPwrappers logging without serving

• Previous message: Mike Blomgren: "RE: [logs] TCPwrappers logging without serving"
• Maybe in reply to: Wilmot, Fred: "[logs] TCPwrappers logging without serving"
• Next in thread: Desai, Ashish: "RE: [logs] TCPwrappers logging without serving"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Great comments.  Thank you for the input on various packages available
to support a poor man's intrusion detection tool.  Unfortunately, I have
a design task to figure out how to use TCP Wrappers to do such a thing,
or find some other process without installing new packages or processes.
Wietse doesn't find any problem with wrapping all services and leaving
them running since tcpd doesn't actually pass any information until the
handshake is complete.  Also, wrappers was designed to deny all access
via host.deny (or .allow if you choose) to all services listed.  In the
same place, logging or alerting can be enabled to pass that information
to a syslog device before calling the daemon.  one way to do this, is to
do all your blocked daemon logging in your allow and do all your deny in
your host.deny file.  This should support configuration changes to
environments that cannot add functionality but can manipulate
configurations.  This may not be a scalable solution due to the concern
of incorrect configurations in more than 500 host files, but can be
audited. Has anyone used the listen command to gather any connection
attempts information? Again, thanks for your comments.

Regards,
Fred Wilmot
MMS Security Engineer

-----Original Message-----
From: Mike Blomgren [mailto:mike.blomgrenat_private]
Sent: Monday, May 19, 2003 12:24 AM
To: loganalysisat_private
Cc: 'Wilmot, Fred'
Subject: RE: [logs] TCPwrappers logging without serving


> -----Original Message-----

[..]

> auditing of the system.  Is there a way to use tcpwrappers to 
> log all attempts to inetd.conf services without appearing as 
> though these services are listening?  Has anyone removed the 

There is a package called IPPL - 'IP Packet Logger' by Hugo Haas and
Etienne Bernard, which logs all connections to a server - regardless of
listening services or not.

http://pltplp.net/ippl/

Don't know if it compiles on Solaris, but it does what you want - logs
connections made to any port. Both TCP & UDP. And ICMP. Quite
confgurable too. But then, the logs get quite large. And some analysis
is required.

But that's where this list comes in handy...  ;o)

~Mike




_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Marcus J. Ranum: "Re: [logs] Correlation Whitepaper"
• Previous message: Mike Blomgren: "RE: [logs] TCPwrappers logging without serving"
• Maybe in reply to: Wilmot, Fred: "[logs] TCPwrappers logging without serving"
• Next in thread: Desai, Ashish: "RE: [logs] TCPwrappers logging without serving"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 19 2003 - 19:38:08 PDT