Re: System log monitor
[Jacob Kuntz - Sat, 2 Dec 2000 11:22:12 PM CST]
} from the secret journal of An Thi-Nguyen Le (anle@ews.uiuc.edu):
} > There's Psionic's logcheck, which is in both potato and woody. The
} > one, the original. Goes well with portsentry (only in woody, can do
} > a source compile on potato though).
}
} not exactly -- portsentry depends on net-tools. i tried installing it with
} --force-depends, and while the daemon starts, it doesn't detect stealth
} scans.
Ah yes, that's right; net-tools was originally netbase, and split into
separate packages.
As for portsentry: it doesn't start with stealth mode on. See
/etc/portsentry/startup.conf. You want "stcp" and "sudp" mode;
but if you're extremely paranoid you mightn't want this. There's
a DOS issue with portsentry' stealth mode -- someone could spoof
their IP address as localhost/your IP and either get through (since
your IP is normally in portsentry.ignore) or cause you to boot
yourself off the net. However, since Debian turns on spoof protection
by default in the kernel, this is not much of an issue anyways.
} and just to make things interesting, a vanilla open scan results in
} two log records for each port i hit. i shudder to think what would happen to
} a busy site not using a loghost.
I think that's because logs are partly duplicated across daemon.log and
some other log file. Look it up in the BTS and file a bug mayhaps.
--
An Thi-Nguyen Le
|When you don't know what to do, walk fast and look worried.
Reply to: