[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: checking security logs

[Rainer Weikusat - Tue, 23 Jan 2001 09:41:57 AM CST]
> David Duffey <email@davidduffey.com> writes:
> > I highly suggest portsentry and logcheck,
> 
> Avoid portsentry. It's literally uselesss.

You could list reasons why it's useless.  For me, I usually run it in 
stealth mode (no, I'm not afraid of the spoof attack; that's what 
turning on spoof detection in the kernel is for), and it's served me 
rather well for the past year.  Stopping attackers after 'finger' is 
damned useful (mind you, if you didn't read the documentation and 
didn't turn on one of the KILL options, it obviously won't work).


> > if none if your services are showing connections then it's probably
> > traffic from port scans.
> 
> It's probably something (and that something is, given a reasonably
> configure machine, probably of absolutely no real concern to you).

Port scans aren't always port scans.  Sometimes they're direct attempts 
to attack (for instance, through portmap or ftp), in which case you 
damn well will do a 'whois' on the IP address and report to the sysadmin 
listed in the output.


-- 
An Thi-Nguyen Le
|I guess it was all a DREAM ... or an episode of HAWAII FIVE-O ...
Reply to: