Re: Logging atempts

To: Toth Attila <dwokfur@pons.sote.hu>
Cc: Florian Friesdorf <42ff@gmx.net>, debian-security@lists.debian.org
Subject: Re: Logging atempts
From: Ron Rademaker <ron@wep.tudelft.nl>
Date: Mon, 17 Jul 2000 15:09:34 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.21.0007171508410.11538-100000@neo.rademaker.dhs.org>
In-reply-to: <[🔎] Pine.LNX.3.96.1000717105542.12517B-100000@Pons.sote.hu>


On Mon, 17 Jul 2000, Toth Attila wrote:

> Some comments on the topic:
> 
> On Mon, 17 Jul 2000, Florian Friesdorf wrote:
> > On Mon, Jul 17, 2000 at 01:41:46AM +0200, A. Vije wrote:
> > > On Sun, 16 Jul 2000, Patrick Barr wrote:
> > > 
> > > > What I want to do, is run a programme that will monitor my ppp0 
> > > > connection for any attempts from anyone to connect to a port and FAIL. 
> > > > I am running 2.4.0 test2 (but I will soon move back to 2.2.16 when 
> > > > potato comes out) and I dont have netfilter on, I just have hosts.deny 
> > > > set to all:all.
> > > 
> > > You can just cat (or tail -f for realtime stats) your syslog (tail -f
> > > /var/log/syslog) for as for as i know all attempts get logged there.
> > 
> > afaik you need the iplogger package installed,
> > including tcplogd and icmplogd, doing exactly what their names sound like.
> 
> As far as I know: if you are running a packet filter, and that is the
> reason why a connection attempt fails, than this event won't reach tcplog,
> but still appears in syslog (if you filter is configured in this way).
> 
> > for 2.2.x kernels 'ipchains -I input 1 -i ppp0 -l -y -p tcp' 
> > will log all incoming tcp connection attempts through ppp0.
> > --> 'man ipchains', for further details
> 
> If you are using your ppp hard, this rule will produce a lot of logged 
> data. It is more reasonable to set the packet filter to log the tcp
> connections, which are REJECTed or DENYed by it. This will probably make
> less logged data. Am I right?
> 
> > > Small note Potato ships with 2.2.17pre6. (i`m looking forward to it .. :)
> 
> Will potato really ship with a pre-kernel? In this case why don't
> patch-2.4.0-test4? (I know, that this mailing list is not dedicated for
> questions like this)

Not a 2.4.0 because that's a major kernel upgrade, with new functions,
where potato is now frozen, so there can't be major upgrades whatsever
anymore.

Ron Rademaker

> 
> 
> Happy logging,
> Dw.
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- Re: Logging atempts
  - From: Toth Attila <dwokfur@pons.sote.hu>

Prev by Date: Re: Logging atempts
Next by Date: Re: Logging atempts
Previous by thread: Re: Logging atempts
Next by thread: Re: Logging atempts
Index(es):
- Date
- Thread