Re: Checking changes to listening ports in /etc/security

Wed, 12 Sep 2001 10:55:13 -0700 

Why not use sockstat instead of netstat?

-Bill

On Wed, Sep 12, 2001 at 08:57:43PM +0300, Giorgos Keramidas wrote:
> 
> I've been adding an extra check in my local version of /etc/security for quite
> some time now.  All it does is use 'netstat' to grab a list of the listening
> tcp and udp ports of my machine and save it to /var/log/netstat.today
> (and /var/log/netstat.yesterday).  This way, when some service starts
> and listens on a new port the next run of /etc/security will log the
> fact in the usual stuff sent to root by mail.  I tested this running
> /etc/periodic/daily/450.security twice, and running a local IRC daemon between
> the two runs.  The output that is added to the message root receives looks
> like the following:
> 
>     hades.hell.gr changes in listening ports:
>     4a5,6
>     > tcp4       0      0  *.6667                 *.*                    LISTEN
>     > tcp4       0      0  *.7325                 *.*                    LISTEN
>     7a10
>     > udp4       0      0  *.*                    *.*                    
>     10a14
>     > udp4       0      0  *.7007                 *.*                    
> 
> Does the attached patch below seem interesting to anyone else, too?
> Should I send-pr it, or just keep merging it with my own security checks,
> and leave things as they are?
> 
> -giorgos

> Index: security
> ===================================================================
> RCS file: /home/ncvs/src/etc/security,v
> retrieving revision 1.55
> diff -u -r1.55 security
> --- security  4 Jul 2001 12:49:17 -0000       1.55
> +++ security  12 Sep 2001 17:25:53 -0000
> @@ -128,6 +128,26 @@
>      tee /dev/stderr | wc -l)
>  [ $n -gt 0 -a $rc -lt 1 ] && rc=1
>  
> +# Show changes in listening tcp and udp ports:
> +#
> +[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
> +if ( netstat -natl | grep LISTEN | sort ; echo "--"; netstat -na | grep '^udp' | 
>sort ) | $cmd > $TMP; then
> +     if [ ! -f $LOG/netstat.today ]; then
> +             [ $rc -lt 1 ] && rc=1
> +             separator
> +             echo "No $LOG/netstat.today"
> +             cp $TMP $LOG/netstat.today || rc=3
> +     fi
> +     if ! cmp $LOG/netstat.today $TMP >/dev/null 2>&1; then
> +             [ $rc -lt 1 ] && rc=1
> +             separator
> +             echo "$host changes in listening ports:"
> +             diff -b $LOG/netstat.today $TMP
> +             mv $LOG/netstat.today $LOG/netstat.yesterday || rc=3
> +             mv $TMP $LOG/netstat.today || rc=3
> +     fi
> +fi
> +
>  # Show denied packets
>  #
>  if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then


-- 
-=| Bill Swingle - <unfurl@(dub.net|freebsd.org)>
-=| Every message PGP signed
-=| Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E  6414 5200 1C95 8E09 0223
-=| Different all twisty a of in maze are you, passages little

PGP signature

Reply via email to