Logcheck Alert Questions
Warren Togami
warren at togami.com
Tue Jun 19 23:30:19 PDT 2001
I have used portsentry and logcheck for years. With portsentry I don't use
the automatic dropping feature because the routing chains can too easily
become cluttered on a popular web server. I simply watch the hourly
logcheck logs, and manually drop attackers if needed. There is little point
in dropping users on known DHCP networks (all dial ups, many DSL and cable
modems) because they can simply renew and poke your defenses again. It
would be nice if there were an automated system that unblocks blocked
addresses several hours later, so that the iptables chains don't become
cluttered with useless rules. Only then I would use automatic blocking.
Logcheck does a good job, but I thought I could do better. I'm nearly done
writing a program that does the same job as logcheck, but with greater
configurability and more effective e-mail reports. My group in ICS212 last
semester wrote this program for our final project. It is currently written
in Java (don't laugh), but I'm porting it to perl or some other real
language later.
We call it Luser - Log Unix System E-mail Reporter
Only thing that needs to be written is the file offset reader portion,
similar to Logcheck's logtail. I hope to make it compatible with Logtail's
.offset files.
One of our group members made up the string matching syntax, but I hope to
change it to regexps later.
----- Original Message -----
From: "Erich S." <sharky at websharx.com>
To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
Sent: Tuesday, June 19, 2001 12:33 PM
Subject: [luau] Re: Logcheck Alert Questions
> Aloha!
>
> Thanks Warren! I had a feeling that portsentry might be reacting a bit
> quickly with shutting stuff down so quickly. I've already entered in some
> trusted machines (hehe good thing I was local to server while
> testing, since I managed to get my remote machine blacklisted pretty
> quickly while doing an nmap against the box)
>
> I see also what you mean by the spoofing and blocking issue. Hmmm...
>
> Thanks again for replying! I really appreciate the fast and informative
> answers. For now, I'll leave it as is, and get a feel for what portsentry
> is doing...as well as bone up more on my reading.
>
> BTW, is portsentry pretty common, or does anyone have any favorite tools
> for monitoring for folks rattling your Linux cages?
>
> Aloha,
> Erich
>
More information about the LUAU
mailing list