[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Detecting break-ins


Recently I've installed some IP logging deamons
(snort, ippl along with logcheck) and I was amazed
how many break-in attempts there are each day on my
simple home box which isn't even adverised anywhere,
as I only run a few services intended for friends and
family (apache, wu-ftpd, exim).

I can see a lot of IIS related attempts, which obviously
do not work, as well as some refused anonymous FTP connection
attempts. For these I don't worry to much as they have failed.
(I hope. I'm no expert, though.)
Then there are more exotic stuff. High port UDP attampts,
connection to port 113 etc.

Now the logs provided by the above packages often say something
like 'connection attempt to ..' whichever port/service.
The question is whether there is a way to know whether any of those
attempts succeded. Or to put it more simply, how could one
distinguish a failed attempt and a successful break-in?

(I know this is probably a very complex topic, but I would
greatly appreciate some advise!)

Many thanks for your help in advance!
best regards,

Reply to: