How to log as much as possible about connections to your computer
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to log as much as possible about connections to your computer
How can one log as much as possible about people looking at one's computer? Eg people doing port scans, or people looking at a web site set up on a home computer?
To do "as much as possible" you could run tcpdump / wireshark to capture all packets on all interfaces.
You can of course do less than that (e.g. specify which interface and/or which port and/or which protocol and/or whether it is inbound or outbound packets).
Type "man tcpdump" to get a good idea of what this does.
As you might imagine tracking ALL packets all the time is going to generate a lot of data. Usually you only want to do this for debugging purposes (e.g. you suspect something bad is happening now and want to find out who is hitting you).
Is there any script that uses tcpdump output to initiate whois lookups and traceroute's to everyone trying to connect?
Even better, what if the uninvited visitor goes to the web site in the home computer, how can some identification info be discovered about them so even if they change IP you can still tell it's them?
(Much ...) Better Idea: "Keep them from connecting!"
If a particular service is "open to the public," then obviously you cannot discriminate with regard to exactly who "the public" is. But if you find that the intended limit is less than "the public," you should be cutting them off at the pass.
Likewise, if you find that (unintended members of ...) "the Public" have latched-on to (say...) your ssh port and are hammering user-id's and passwords against it ... as "the Public" is certainly free to do ... then you should close that service such that "user-id's and passwords" are never permitted. Your sshd daemon should require (only) digital certificates, and refuse "user-id/password" as an option altogether.
Alright, could find the way to stop all services with open ports. But might a web server be an exception that is useful for getting info about intruders if the site is NOT being advertised anywhere and exists for the sole purpose of getting info about intruders?
Alright, could find the way to stop all services with open ports. But might a web server be an exception that is useful for getting info about intruders if the site is NOT being advertised anywhere and exists for the sole purpose of getting info about intruders?
See "honeypot" as near match.
But if you are making it publicly available as said above, advertised or not, they are NOT "intruders", they are visitors...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.