Getting dirty with ports

[meslick]

Hello:

What can I do so that I can monitor all the ports on my Fedora box that are being access/probed/used?

I would like to be able to say, hmmm, why is that ip accessing that port? Or why is that daemon/service communicating with some ip, and what is that ip?

I also don't want to run Ethereal all the time. Is that log at /var/log/messagse the best way to monitor things? There are too many messages in there, and too many odd IP stuff going on. And I hear that certain SYN commands aren't logged there.

Basically, I want to know what's going on. If tehre's a few fools snooping around my property I want to know about it so that possibly I can club them.

Teak

[giulix]

Run snort in IDS mode.

[Quella]

I could also recommend an old tool called PortSentry. It would sit and monitor your active ports, and any request to a closed port would create a firewall rule to blackhole the scanner. Only if one hits the open ports woudl you know the machine exists. I used this on many of my Internet facing machies. I was amazed how quickly the firewall rules grew.

Quella

[ssaady]

netstat -an|more
lsof|grep -i estab
lsof|grep -i listen

[meslick]

Quote:

Originally Posted by giulix

Run snort in IDS mode.

This seems cool, so I did some research and found this up to date info-bit on Red Hat: <http://www.redhat.com/magazine/013nov05/features/snort/>

This is exactly the kind of thing I was looking for. Thanks.

Perhaps there are better programs, but this seems like a good start.

Teak

[giulix]

Well, snort is pretty much standard, nowadays. The only problem is one has to tweak it to filter out false positives and, yes, it needs regular updates to be effective... check oinkmaster, too.