[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall logs and analyzing tools



hi ya

On Sat, 21 Jun 2003, bob parker wrote:

> On Fri, 20 Jun 2003 02:45, Massimo Villa wrote:
> > Is there anybody who knows a analyzing, monitoring and
> > reporting tools of iptables logs to discover possible attacks
> > and statistics informations?
> >
> logcheck might help, it distills the logs and emails the result to you or 
> other designated recipient.

putting on the flame suit...

if iptables stopped the incoming traffic ... good ... it did its job

if iptables topped legitimate traffic, the sender will probably tell
you to stop bouncing them or allow them as an exception ..

if you want to discover (endlesss) possible attacks...
	- find other iptables rules you need to add to your list and why

	- spend your time hardening you servers and lan ... 
	(a semi-finite list of things to do vs infinite possible attacks)

	- find "all" the known exploits for a particular vulnerability
	and patch it and defend your servers against that exploit

if you are running some ids... it's too late... they are already in your
servers
	- better now spend time to prevent them getting in next time

	- don't bother with figuring out all those doing port scans
	of your servers ..

	- do apply all the patches to all apps running on those ports

if you like looking at pretty statistics ..
	grep ssh  /var/log/messages | grep -iv "your-own-servers-n-ip#"
	grep icmp /var/log/messages
	grep ftp /var/log/messages
	grep telnet /var/log/messages
	egrep -iv "ssh|icmp|ftp|telnet" /var/log/messages

	grep error /var/log/http/error_log

	plot all that out in whatever presentation you want

firewall logs
	http://www.linux-sec.net/Firewall/Testing/

	( check into firesoft ?? )
	http://www.unix.gr


lots o fun stuff

c ya
alvin



Reply to: