Hi, On Sun, Apr 25, 2021 at 08:01:55AM -0400, Jeffrey Walton wrote: > On Sun, Apr 25, 2021 at 7:09 AM John Wood <john.wood@xxxxxxx> wrote: > > > > I'm working in a LSM to detect and mitigate fork brute force attacks > > against vulnerable userspace applications. Now, to fine tuning the > > detection I want to detect a network activity. ... > > How can I detect that an external connection (using a net device) is > > accepted and avoid internal network communication? > > One caveat that may (or may not) apply... > > Systemd opens sockets for services even when a service is disabled. It > could appear that a system is accepting traffic even when the service > is unavailable. But if the service is unavailable it will not accept connections. I hope. If we use the socket_accept LSM hook it will not be called under this scenario. John Wood _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
