<html><DIV>
<P>Warren I think that name is kind of sad......<BR>It sounds like <STRONG><FONT size=6>Loser!</FONT></STRONG></P>
<P>So why don't you change the name for that program.<BR></P>
<P>ps: with the book I'm reading I started learning perl it's kind of like ti-83 basic.</P></DIV>
<DIV></DIV>
<DIV></DIV>>From: "Warren Togami" <WARREN@TOGAMI.COM>
<DIV></DIV>>Reply-To: "Linux & Unix Advocates & Users" <LUAU@LIST.LUAU.HI.NET>
<DIV></DIV>>To: "Linux & Unix Advocates & Users" <LUAU@LIST.LUAU.HI.NET>
<DIV></DIV>>Subject: [luau] Re: Logcheck Alert Questions
<DIV></DIV>>Date: Tue, 19 Jun 2001 20:30:19 -1000
<DIV></DIV>>
<DIV></DIV>>I have used portsentry and logcheck for years. With portsentry I don't use
<DIV></DIV>>the automatic dropping feature because the routing chains can too easily
<DIV></DIV>>become cluttered on a popular web server. I simply watch the hourly
<DIV></DIV>>logcheck logs, and manually drop attackers if needed. There is little point
<DIV></DIV>>in dropping users on known DHCP networks (all dial ups, many DSL and cable
<DIV></DIV>>modems) because they can simply renew and poke your defenses again. It
<DIV></DIV>>would be nice if there were an automated system that unblocks blocked
<DIV></DIV>>addresses several hours later, so that the iptables chains don't become
<DIV></DIV>>cluttered with useless rules. Only then I would use automatic blocking.
<DIV></DIV>>
<DIV></DIV>>Logcheck does a good job, but I thought I could do better. I'm nearly done
<DIV></DIV>>writing a program that does the same job as logcheck, but with greater
<DIV></DIV>>configurability and more effective e-mail reports. My group in ICS212 last
<DIV></DIV>>semester wrote this program for our final project. It is currently written
<DIV></DIV>>in Java (don't laugh), but I'm porting it to perl or some other real
<DIV></DIV>>language later.
<DIV></DIV>>
<DIV></DIV>>We call it Luser - Log Unix System E-mail Reporter
<DIV></DIV>>
<DIV></DIV>>Only thing that needs to be written is the file offset reader portion,
<DIV></DIV>>similar to Logcheck's logtail. I hope to make it compatible with Logtail's
<DIV></DIV>>.offset files.
<DIV></DIV>>
<DIV></DIV>>One of our group members made up the string matching syntax, but I hope to
<DIV></DIV>>change it to regexps later.
<DIV></DIV>>
<DIV></DIV>>----- Original Message -----
<DIV></DIV>>From: "Erich S." <SHARKY@WEBSHARX.COM>
<DIV></DIV>>To: "Linux & Unix Advocates & Users" <LUAU@LIST.LUAU.HI.NET>
<DIV></DIV>>Sent: Tuesday, June 19, 2001 12:33 PM
<DIV></DIV>>Subject: [luau] Re: Logcheck Alert Questions
<DIV></DIV>>
<DIV></DIV>>
<DIV></DIV>> > Aloha!
<DIV></DIV>> >
<DIV></DIV>> > Thanks Warren! I had a feeling that portsentry might be reacting a bit
<DIV></DIV>> > quickly with shutting stuff down so quickly. I've already entered in some
<DIV></DIV>> > trusted machines (hehe good thing I was local to server while
<DIV></DIV>> > testing, since I managed to get my remote machine blacklisted pretty
<DIV></DIV>> > quickly while doing an nmap against the box)
<DIV></DIV>> >
<DIV></DIV>> > I see also what you mean by the spoofing and blocking issue. Hmmm...
<DIV></DIV>> >
<DIV></DIV>> > Thanks again for replying! I really appreciate the fast and informative
<DIV></DIV>> > answers. For now, I'll leave it as is, and get a feel for what portsentry
<DIV></DIV>> > is doing...as well as bone up more on my reading.
<DIV></DIV>> >
<DIV></DIV>> > BTW, is portsentry pretty common, or does anyone have any favorite tools
<DIV></DIV>> > for monitoring for folks rattling your Linux cages?
<DIV></DIV>> >
<DIV></DIV>> > Aloha,
<DIV></DIV>> > Erich
<DIV></DIV>> >
<DIV></DIV>>
<DIV></DIV>>
<DIV></DIV>>---
<DIV></DIV>>You are currently subscribed to luau as: ryu2z80@hotmail.com
<DIV></DIV>>To unsubscribe send a blank email to $subst('Email.Unsub')
<DIV></DIV><br clear=all><hr>Get your FREE download of MSN Explorer at <a href="http://explorer.msn.com">http://explorer.msn.com</a><br></p></html>