Detecting break-ins

To: debian-security@lists.debian.org
Subject: Detecting break-ins
From: Balazs Javor <jb3@freemail.hu>
Date: Tue, 15 Jan 2002 21:04:07 +0100
Message-id: <[🔎] 20020115200407.GC1815@zhadum.bjavor.d2g.com>
Mail-followup-to: debian-security@lists.debian.org

Hi,

Recently I've installed some IP logging deamons
(snort, ippl along with logcheck) and I was amazed
how many break-in attempts there are each day on my
simple home box which isn't even adverised anywhere,
as I only run a few services intended for friends and
family (apache, wu-ftpd, exim).

I can see a lot of IIS related attempts, which obviously
do not work, as well as some refused anonymous FTP connection
attempts. For these I don't worry to much as they have failed.
(I hope. I'm no expert, though.)
Then there are more exotic stuff. High port UDP attampts,
connection to port 113 etc.

Now the logs provided by the above packages often say something
like 'connection attempt to ..' whichever port/service.
The question is whether there is a way to know whether any of those
attempts succeded. Or to put it more simply, how could one
distinguish a failed attempt and a successful break-in?

(I know this is probably a very complex topic, but I would
greatly appreciate some advise!)

Many thanks for your help in advance!
best regards,
Balazs

Reply to:

Follow-Ups:
- Re: Detecting break-ins
  - From: "Noah L. Meyerhans" <frodo@morgul.net>
- Re: Detecting break-ins
  - From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
- Re: Detecting break-ins
  - From: Yotam Rubin <yotam@makif.omer.k12.il>

Prev by Date: Re: Debian security being trashed in Linux Today comments
Next by Date: Re: Detecting break-ins
Previous by thread: Re: Following security issues found upstream
Next by thread: Re: Detecting break-ins
Index(es):
- Date
- Thread