[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: checking security logs

On Tue, Jan 23, 2001 at 11:45:28AM -0500, Gord Mc . Pherson wrote:
> Hi,
> 
>   Perhaps 'iptraf' or 'netwatch' (both available on freshmeat) and 'netstat' could be used to identify what/who is generating the traffic on your system. I'd also concur with a previous comment about 'portsentry', since it's possible to spoof an address and have portsentry block it.. it there for becomes an effective tool for a hacker to use as a DoS. For example, I could find out what your ISP's DNS servers are, spoof those addresses and have your portsentry block them. This would cut you off from the net until you manually corrected it.

Ipchains (and I would assume iptables) has a log feature that will log any
packets that hit any rule with a -l in it, for instance, here was a guy
trying ftp: 

Jan 18 15:21:00 marvin kernel: Packet log: input DENY eth1 PROTO=6 213.51.164.222:3336 24.14.189.245:21 L=48 S=0x00 I=15284 F=0x4000 T=117 SYN (#9)
Jan 18 15:21:03 marvin kernel: Packet log: input DENY eth1 PROTO=6 213.51.164.222:3336 24.14.189.245:21 L=48 S=0x00 I=15347 F=0x4000 T=118 SYN (#9)

another trying sunrpc:

Jan 18 22:16:10 marvin kernel: Packet log: input REJECT eth1 PROTO=6 211.116.51.17:2100 24.14.189.245:111 L=60 S=0x00 I=33380 F=0x4000 T=51 SYN (#13)

yet another trying DNS (comming from another dns server, hrmm)

Jan 23 03:43:00 marvin kernel: Packet log: input DENY eth1 PROTO=6 148.235.3.71:53 24.14.189.245:53 L=40 S=0x00 I=39426 F=0x0000 T=27 SYN (#10)

You get the idea. No special software needed, just good 'ole ipchains.

BTW: Could you try to keep lines to <80 characters? (Nevermind the fact that 
I just broke that rule with the firewall logs).

-- 
Jordan Bettis <http://www.hafd.org/~jordanb/>
Showing up is 80% of life.
		-- Woody Allen
Reply to: