Logcheck Alert Questions
Ho'ala Greevy
hoala at secretbonus.com
Thu Jun 21 06:40:40 PDT 2001
*or* you could try a pine/samba naming scheme kind of approach:
pine stands for Pine is not Elm while samba was derived by Andrew Tridgell
by searching for possible mutations of the acronym smb-
grep -i 's.*m.*b' /usr/dict/words
so if you combine the two, you could try this-
Luser Is Not Logcheck => grep -i 'l.*i.*n.*l' /usr/dict/words
and you come up with (among the many).... Lionel!
or loincloth. i guess it's up to warren.
-ho'ala
On Thu, 21 Jun 2001, Ryuhei Yokokawa wrote:
>
> Warren I think that name is kind of sad......
> It sounds like Loser!
>
> So why don't you change the name for that program.
>
> ps: with the book I'm reading I started learning perl it's kind of like
> ti-83 basic.
>
> >From: "Warren Togami"
> >Reply-To: "Linux & Unix Advocates & Users"
> >To: "Linux & Unix Advocates & Users"
> >Subject: [luau] Re: Logcheck Alert Questions
> >Date: Tue, 19 Jun 2001 20:30:19 -1000
> >
> >I have used portsentry and logcheck for years. With portsentry I don't use
> >the automatic dropping feature because the routing chains can too easily
> >become cluttered on a popular web server. I simply watch the hourly
> >logcheck logs, and manually drop attackers if needed. There is little point
> >in dropping users on known DHCP networks (all dial ups, many DSL and cable
> >modems) because they can simply renew and poke your defenses again. It
> >would be nice if there were an automated system that unblocks blocked
> >addresses several hours later, so that the iptables chains don't become
> >cluttered with useless rules. Only then I would use automatic blocking.
> >
> >Logcheck does a good job, but I thought I could do better. I'm nearly done
> >writing a program that does the same job as logcheck, but with greater
> >configurability and more effective e-mail reports. My group in ICS212 last
> >semester wrote this program for our final project. It is currently written
> >in Java (don't laugh), but I'm porting it to perl or some other real
> >language later.
> >
> >We call it Luser - Log Unix System E-mail Reporter
> >
> >Only thing that needs to be written is the file offset reader portion,
> >similar to Logcheck's logtail. I hope to make it compatible with Logtail's
> >.offset files.
> >
> >One of our group members made up the string matching syntax, but I hope to
> >change it to regexps later.
> >
> >----- Original Message -----
> >From: "Erich S."
> >To: "Linux & Unix Advocates & Users"
> >Sent: Tuesday, June 19, 2001 12:33 PM
> >Subject: [luau] Re: Logcheck Alert Questions
> >
> >
> > > Aloha!
> > >
> > > Thanks Warren! I had a feeling that portsentry might be reacting a bit
> > > quickly with shutting stuff down so quickly. I've already entered in
> some
> > > trusted machines (hehe good thing I was local to server while
> > > testing, since I managed to get my remote machine blacklisted pretty
> > > quickly while doing an nmap against the box)
> > >
> > > I see also what you mean by the spoofing and blocking issue. Hmmm...
> > >
> > > Thanks again for replying! I really appreciate the fast and informative
> > > answers. For now, I'll leave it as is, and get a feel for what
> portsentry
> > > is doing...as well as bone up more on my reading.
> > >
> > > BTW, is portsentry pretty common, or does anyone have any favorite tools
> > > for monitoring for folks rattling your Linux cages?
> > >
> > > Aloha,
> > > Erich
> > >
> >
> >
> >---
> >You are currently subscribed to luau as: ryu2z80 at hotmail.com
> >To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ___________________________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> ---
> You are currently subscribed to luau as: hoala at secretbonus.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
More information about the LUAU
mailing list