Mailinglist Archive: opensuse-security (260 mails)

< Previous Next >
Re: [suse-security] Portsentry and logcheck
  • From: Rupert Kittinger <kittinger@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Mon, 17 Jul 2000 10:38:27 +0200
  • Message-id: <3972C603.749A9DFA@xxxxxxxxxxxxxxxxxxxxxx>
Per R Laursen wrote:
>
> Hi Togan.
>
> Try to read inside the logcheck.sh file. I dont know where you have this
> file on your system, but i have made my own SuSE adapted installation of
> logcheck.
> In logcheck.sh there you'll find a description of all the files logcheck
> uses when 'looking' inside log files.
>

Hi everybody,

I also installed logcheck last week.
The best way to adjust the filtering seems to do it incrementally, i.e.

- run logcheck
- look at the output and add to the *.ignore files appropriate patterns
to
remove uninteresting enties, e.g. -- MARK --
- remove the *.offset files and start again.

continue till happy.

Additionally, you can try logging in with wrong passwors, wrong user,
etc.
from a different host, to see what it looks like in your logfiles, and
check whether logcheck finds those entries. The same goes for
portscanning, etc.

Rupert

PS: I am getting lots of probes for anonymous ftp lately, about twice a
week.

--
Rupert Kittinger <kittinger@xxxxxxxxxxxxxxxxxxxxxx>
Department of Mechanics and Mechanisms
Graz University of Technology
Kopernikusgasse 24/III A-8010 Graz
pgp-keyID: EB7E995C; get public key from
http://www.openpgp.net/pgpsrv.html

< Previous Next >
References