Re: Logcheck

To: Christopher Clark <chris@maltwhiskey.demon.co.uk>
Cc: Debian List <debian-user@lists.debian.org>
Subject: Re: Logcheck
From: Dave Sherohman <esper@sherohman.org>
Date: Fri, 27 Oct 2000 11:48:54 -0500
Message-id: <20001027114854.B16691@sherohman.org>
In-reply-to: <200010271357.NAA00559@hurricane.warplane>; from chris@maltwhiskey.demon.co.uk on Fri, Oct 27, 2000 at 01:57:58PM +0000
References: <200010271357.NAA00559@hurricane.warplane>

On Fri, Oct 27, 2000 at 01:57:58PM +0000, Christopher Clark wrote:
> In addition to a firewall (pmfirewall) and portsentry I now have
> logckeck running. Unfortunately I get a lot of mail saying I am under attack 
> when I am sure I am not.

I suspect you're just getting notifications of (what logcheck is configured
to consider) unusual activity.  When it thinks you're actually under attack,
it will send notifications with the subject "ACTIVE SYSTEM ATTACK!" instead
of "system check".

> I can't figure out what it is objecting to and so 
> put it in the ignore file.  Her are a few snippets:

It "objects to" anything and everything that doesn't match a pattern in
/etc/logcheck/logcheck.ignore.

More specifically, anything matching a pattern in logcheck.hacking is
considered an "attack", anything matching logcheck.violations (but not
logcheck.violations.ignore) is considered a "security violation", and
anything not matching either of those files or logcheck.ignore is "unusual
system activity".

> Oct 27 06:12:45 defiant -- MARK --

Ignore "-- MARK --".  (This one should be in logcheck.ignore by default...)

> Oct 27 06:02:03 defiant sendmail[31020]: GAA31020: from=root, size=2439, 
> class=0, pri=32439, nrcpts=1, msgid=<200010270602.GAA31020@defiant.warplane>, 
> relay=root@localhost
> Oct 27 06:02:03 defiant sendmail[31023]: GAA31020: to=chris, ctladdr=root 
> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent

Ignore "sendmail\[.*\]: GAA.*"?  I use exim, so I don't know whether that's
the best choice for filtering these out.

> Oct 27 07:35:21 defiant pppd[31142]: pppd 2.3.11 started by root, uid 0

Ignore "pppd\[.*\]: pppd [0-9.]* started by root, uid 0" if you want nonroot
pppd startups reported, ""pppd\[.*\]: pppd [0-9.]* started.*" if you want
them ignored.

> Oct 27 07:35:22 defiant chat[31144]: abort on (BUSY)
> Oct 27 07:35:22 defiant chat[31144]: abort on (NO CARRIER)
> Oct 27 07:35:22 defiant chat[31144]: abort on (VOICE)
> Oct 27 07:35:22 defiant chat[31144]: abort on (NO DIALTONE)

Ignore "chat\[.*\]: .*".

> Oct 27 08:02:05 defiant sendmail[31463]: IAA31463: from=root, size=32672, 
> class=0, pri=62672, nrcpts=1, msgid=<200010270802.IAA31463@defiant.warplane>, 
> relay=root@localhost
> Oct 27 08:02:05 defiant sendmail[31466]: IAA31463: to=chris, ctladdr=root 
> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent

Ignore "sendmail\[.*\]: IAA.*"?  Again, I don't know the best way to ignore
'safe' sendmail messages without letting those which could be significant
pass unnoticed.

> Oct 27 08:08:55 defiant in.rlogind[31468]: connect from 192.168.200.30

You probably _don't_ want to ignore this, or at least come up with a pattern
that will ignore successful attempts, but still report failed attempts.  (And
you really should switch from rsh to ssh if you can...)

> Oct 27 08:19:03 defiant named[160]: Cleaned cache of 32 RRsets
> Oct 27 08:19:03 defiant named[160]: USAGE 972634743 971683999 CPU=2.44u/1.09s 
> CHILDCPU=0u/0s
> Oct 27 08:19:03 defiant named[160]: NSTATS 972634743 971683999 A=2895 SOA=106 
> PTR=279 MX=860 SRV=3 AXFR=2 ANY=717
> Oct 27 08:19:03 defiant named[160]: XSTATS 972634743 971683999 RR=624 RNXD=13 
> RFwdR=380 RDupR=3 RFail=0 RFErr=0 RErr=0 RAXFR=2 RLame=0 ROpts=0 SSysQ=339 
> SAns=4379 SFwdQ=498 SDupQ=8784 SErr=229 RQ=4862 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=4 
> SFwdR=380 SFail=0 SFErr=0 SNaAns=1896 SNXD=49

Ignore named Cleaned cache, USAGE, NSTATS, and XSTATS reports.  (You probably
don't want to ignore named entirely...)

The default 'server' config for logcheck ignores almost all of these things.
Perhaps you should reconfigure your logcheck package?  I suspect that you
chose the 'utterly paranoid, report _everything_' configuration last time
around...

-- 
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
Geek Code 3.1:  GCS d- s+: a- C++ UL++$ P+>+++ L+++>++++ E- W--(++) N+ o+
!K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r++ y+

Reply to:

References:
- Logcheck
  - From: Christopher Clark <chris@maltwhiskey.demon.co.uk>

Prev by Date: RE: Windows 2000 and Telnet
Next by Date: Re: LI at boot after making \boot reiserfs
Previous by thread: Logcheck
Next by thread: Re: Logcheck
Index(es):
- Date
- Thread