Re: Logging atempts

To: Mario Scarpa <m.scarpa@mondonet.net>
Cc: Patrick Barr <mr_happy@hyper.net.nz>, debian-security@lists.debian.org
Subject: Re: Logging atempts
From: Bradley M Alexander <storm@tux.org>
Date: Fri, 21 Jul 2000 10:26:54 -0400
Message-id: <[🔎] 20000721102654.C717@sonsofthunder.yi.org>
In-reply-to: <[🔎] 39784D7F.A012269E@mondonet.net>; from m.scarpa@mondonet.net on Fri, Jul 21, 2000 at 03:17:51PM +0200
References: <[🔎] 20000716162128.A454@The_Ugly_Stick> <[🔎] 20000717114406.A499@sonsofthunder.yi.org> <[🔎] 39784D7F.A012269E@mondonet.net>

On Fri, Jul 21, 2000 at 03:17:51PM +0200, Mario Scarpa wrote:
> balexander@sonsofthunder.yi.org wrote:
> > 
> > On Sun, Jul 16, 2000 at 04:21:28PM +0000, Patrick Barr wrote:
> > >
> > > I need somebodys help on this....
> > >
> > > What I want to do, is run a programme that will monitor my ppp0
> > > connection for any attempts from anyone to connect to a port and FAIL.
> > > I am running 2.4.0 test2 (but I will soon move back to 2.2.16 when
> > > potato comes out) and I dont have netfilter on, I just have hosts.deny
> > > set to all:all.
> > 
> > If you are looking to see if someone is getting through your ipchains and
> > getting stopped by tcp_wrappers, you can change your hosts.deny from
> > ALL: ALL to
> > 
> > ALL: ALL: spawn ( \
> > echo -e "\n\
> > TCP Wrappers\:  Connection refused\n\
> > By\:                    $(uname -n)\n\
> > Process\:               %d (pid %p)\n\
> > User\:                  %u\n\
> > Host\:                  %c\n\
> > Date\:                  $(date)\n\
> > " | /bin/mail -s "Connection to %d blocked" root)
> > 
> > This will send you an email whenever someone gets through to
> > tco_wrappers.
> 
> Please consider the side effects of this: a simple DOS would
> be generating a huge amount of TCP requests towards this machine
> forcing the system to send an email every time. Sometimes it
> can make the target unusable...

True, but if you have a good set of ipchains scripts, you will very rarely
see messages from tcpd, because theoretically the only things that are
getting through your firewall script is authorized traffic. This setup
should only trigger in the case of a hole in your firewall rules, and there
are definitely worse ways to find out about that...:-)

And just for the record, I use PeterW's firewall script. He wrote the rules
for Bastille Linux, but you can get the firewall rules as a standalone
script at http://www.tux.org/~peterw.

-- 
--Brad
============================================================================
Bradley M. Alexander                     |   Co-Chairman,
Beowulf System Admin/Security Specialist |    NoVALUG/DCLUG Security SIG
Winstar Telecom                          |   balexander@winstar.com
(703) 889-1049                           |   storm@tux.org
============================================================================
Cats are smarter than dogs.  You can't make eight cats pull a sled through
the snow.

Attachment: pgpd0ly29v3P3.pgp
Description: PGP signature

Reply to:

References:
- Logging atempts
  - From: Patrick Barr <mr_happy@hyper.net.nz>
- Re: Logging atempts
  - From: balexander@sonsofthunder.yi.org
- Re: Logging atempts
  - From: Mario Scarpa <m.scarpa@mondonet.net>

Prev by Date: Re: Logging atempts
Next by Date: Re: Logging atempts
Previous by thread: Re: Logging atempts
Next by thread: Re: Logging atempts
Index(es):
- Date
- Thread