On 04/03/2021 13.42, Per Jessen wrote:
Carlos E. R. wrote:
On 04/03/2021 10.53, Per Jessen wrote:
Carlos E.R. wrote:
A tool that would collect the failed connection attempts, then would automatically search for those IPs in the logs, would be nice. Cross referencing.
I don't think I quite understand. Finding the failed connection attempts and the origin IP-addresses is easy, but which logs do you then want to search?
/var/log/messages, for instance. Locate any other occurrence of the same IP, possibly in a time range, to find out if that IP that tried to connect to something else. If you have running services that use other logs, like apache, then read those, too.
Oh okay. I guess it might be worth a try, it's easily done if you load the extracted data into a database.
Several syslog tools directly support databases. Maybe it is possible to log to a database any entry that contains an IP address. A later process would purge from the database those entries that have no interest and the filter be refined.
If the machine is external, not NATted like mine, it will receive scans directly. Thus, suppose you get a failed connect attempt at some service. The tool registers that IP, and finds out that he is trying other services at one hour intervals. Well, the tool would then detect slow scans.
Well, the analysis already does, but after the fact. I don't know what other services might be open to an attack though.
Yes, of course, after the fact. At best, some hours later. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)