Hi Togan.
Try to read inside the logcheck.sh file. I dont know where you have this
file on your system, but i have made my own SuSE adapted installation of
logcheck.
In logcheck.sh there you'll find a description of all the files logcheck
uses when 'looking' inside log files.
Kind regards
Per R Laursen
http://www.websecure.dk
http://www.prl.dk
-----Original Message-----
From: Togan Muftuoglu
Hi everyone,
I was getting lots of ftp finger pcanywhere probes and I thought applying some security for my pc. Here is what I have done Closed everything at /etc/inetd.conf I am using the Suse firewall script for the dialup connection to the internet. Basically I have closed everything I could think of. Also portsentry is starting with audp and atcp options.
I have installed the logcheck also and this is the part I need to tweak a little bit.
I only want to get informed when there is a Deny, Reject or Accept situation. If this is possible I need some direction to figure it out
Thanks in advance -- Togan Muftuoglu toganm@turk.net
100% MS FREE Absolutely no component of Microsoft was used in the generation or posting of this e-mail. So it is virus free
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Per R Laursen wrote:
Hi Togan.
Try to read inside the logcheck.sh file. I dont know where you have this file on your system, but i have made my own SuSE adapted installation of logcheck. In logcheck.sh there you'll find a description of all the files logcheck uses when 'looking' inside log files.
Hi everybody,
I also installed logcheck last week.
The best way to adjust the filtering seems to do it incrementally, i.e.
- run logcheck
- look at the output and add to the *.ignore files appropriate patterns
to
remove uninteresting enties, e.g. -- MARK --
- remove the *.offset files and start again.
continue till happy.
Additionally, you can try logging in with wrong passwors, wrong user,
etc.
from a different host, to see what it looks like in your logfiles, and
check whether logcheck finds those entries. The same goes for
portscanning, etc.
Rupert
PS: I am getting lots of probes for anonymous ftp lately, about twice a
week.
--
Rupert Kittinger
On Mon, Jul 17, 2000 at 10:38 +0200, Rupert Kittinger wrote:
PS: I am getting lots of probes for anonymous ftp lately, about twice a week.
These could be "made" by yourself. There was a thread about this very topic (getting "scanned" from ftp servers), maybe you want to visit the archives. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Gerhard Sittig wrote:
On Mon, Jul 17, 2000 at 10:38 +0200, Rupert Kittinger wrote:
PS: I am getting lots of probes for anonymous ftp lately, about twice a week.
These could be "made" by yourself. There was a thread about this very topic (getting "scanned" from ftp servers), maybe you want to visit the archives.
I will look it up. Can anybody give me a hint around which date to look
?
Anyway, I do not think that those probes are all false alarms.
I informed the various responsible admistrators, and there was one case
where the offending host was found to have been compromised.
Rupert
--
Rupert Kittinger
FTP connections are weird. you get a conneciton out, and then a connection back in, so if you firewall heavily it might flag it. As for ftp scans (ie people knocking on port 21) that is because WuFTPD, ProFTPD and several other FTP daemons were recently found to have security holes. Out weekly digest covers this stuff: http://www.securityportal.com/topnews/weekly/linux.html -Kurt
On Tue, Jul 18, 2000 at 10:33 +0200, Rupert Kittinger wrote:
[ ... being "port scanned" when doing massive ftp ... ]
Anyway, I do not think that those probes are all false alarms. I informed the various responsible admistrators, and there was one case where the offending host was found to have been compromised.
I only had it once these days, that visiting www.avp2000.com (an antivirus company) will make you repeatedly contacted for SMB services (137/tcp). They don't support mail addresses abuse nor postmaster nor administrator. It seems to fit that they host an NT server for HTTP although they should know better about the platform's vulnerability. But that's completely a different story. FTP is a somewhat strange protocol. You initially open up a "command channel" and for every transfer (get, put, ls(!)) a new connection parallel to the former gets established. That's when a sequence of cd and ls (as some clients do automatically) can look like a few quick connection attempts from the same source. Some portscan detectors jump in on this(id?). Detecting portscans is a twofolded(id?) matter in any way. If you set the trigger level too low any normal working sequence looks like an attempt to attack or examine you. But there's still no cure against so called slow scans. And even if _you_ are "visited" less frequently scanning a wide address range this way still can be quite efficient (instead of scanning locally restricted ranges in a quick manner). Regarding the fact that scanning is nothing you can avoid and with a decent filter setup is even something you needn't really be concerned about you might as well disable your scanning detector and have your filter log unsuccessful contact tries or suspicious packets to a file you can get back to for later reference in case you suspect to be attacked. It depends on the volume of these log entries whether you have them "prepared" for your reading or whether you're reading them "live" for making up your own opinion (see logcheck and friends for this). And carry out the usual steps UNIX offers you to protect yourself against abuse and resource starvation (limit rusage parameters, limit connection rates, etc). virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
On Mon, 17 Jul 2000, Rupert Kittinger wrote:
PS: I am getting lots of probes for anonymous ftp lately, about twice a week.
I am too. From the log... July 4 11:43:05 baby wu.ftpd[9390]: connect from root@208.51.185.110 July 4 11:43:06 baby ftpd[9390]: FTP session closed Jul 11 04:51:29 baby wu.ftpd[32405]: connect from cdsl221.eugn.uswest.net Jul 11 04:51:30 baby ftpd[32405]: FTP session closed Jul 11 10:29:23 baby wu.ftpd[651] connect from 1Cust187.tnt1.denver.co.uu.net Jul 11 10:29:29 baby ftpd[651]: FTP session closed Jul 13 00:00:53 baby wu.ftpd[5783]: connect from root@208.50.68.70 Jul 13 00:00:56 baby ftpd[5783]: FTP session closed I look for the attempted connects from root@XXX.XXX.XXX.XXX that only last a second or so. They look like probes, although noisy. They are not all from the same IP either. I keep track of the IP's.. just in case.. mostly I ignore them. Regards,
participants (5)
-
Gerhard Sittig
-
Kurt Seifried
-
Per R Laursen
-
Rupert Kittinger
-
S.T.Ryder