Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] /var/log/{messages,firewall,warn}
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Tue, 1 Aug 2000 22:27:49 +0200
  • Message-id: <20000801222749.F4610@xxxxxxxxx>
* Jason P. Stanford wrote on Tue, Aug 01, 2000 at 11:35 -0700:
> especially due to web traffic to the machine (a lot of
> ALLOW's). Can I change a config to prevent firewall from making
> duplicate entries to /var/log/messages?

That's not possible (at least with ipchains). You should check
your configuration and enviroment, it's bad if you get lot's of
prohibited connection attempts. You have to reduce it, otherwise
your logging makes no sense, since you will never be able to read
the logs!

If you have "expected" denies, insert a rule that reject/denies
those packets without logging.

> Also, scanlogd does not seem to log any scannings except for those from
> localhost (127.0.0.1).

Here it works...

> I've been playing with it, and running nmap on another
> machine on my local subnet, but these scans (not in any "stealth" mode) never

scanlogd should detect stealth mode scans.

> get logged and scanlogd is most definitely running. I don't see any config
> files for scanlogd,

There isn't a config file. Some tunables you can modify at
compile-time. scanlogd uses some #defines in some include files
(look at the source for docu :)).

If you need are more complex and advanced IDS tool, you may take
a look to snort (www.snort.org), which is highly configurable.

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >
Follow Ups
References