Carlos E. R. wrote:
On 04/03/2021 10.53, Per Jessen wrote:
Carlos E.R. wrote:
A tool that would collect the failed connection attempts, then would automatically search for those IPs in the logs, would be nice. Cross referencing.
I don't think I quite understand. Finding the failed connection attempts and the origin IP-addresses is easy, but which logs do you then want to search?
/var/log/messages, for instance. Locate any other occurrence of the same IP, possibly in a time range, to find out if that IP that tried to connect to something else. If you have running services that use other logs, like apache, then read those, too.
Oh okay. I guess it might be worth a try, it's easily done if you load the extracted data into a database.
If the machine is external, not NATted like mine, it will receive scans directly. Thus, suppose you get a failed connect attempt at some service. The tool registers that IP, and finds out that he is trying other services at one hour intervals. Well, the tool would then detect slow scans.
Well, the analysis already does, but after the fact. I don't know what other services might be open to an attack though. -- Per Jessen, Zürich (13.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland.