Thanks Mike for your last seminar on security tools and utilities! For those of you on the list, who don't go to the saturday seminars, I strongly encourage it. What could be better for your linux growth, than free education from linux system administrators, and people who use it every day?!? Go to the seminars!! Seth will be talking about email security and filtering on the 21st! This is applicable to the home user, using fetchmail and a client (MUA) such as mutt. Or to a business network to filter out unwanted junk. Or to the home user unsatisfied with netscape mail, or some other mail client; One may wish to use a mail agent that will allow mail filtering. The "why" and "how" of filtering and security is what Seth will talk about! One of the tools I've implemented from Mike's lecture is Logcheck (www.psionic.com). Sweet tool, it emails you the highlights of your logs. It took me a few weeks to fine tune it (not configure, but fine tune). Now it tells me such things that are dangerous to my servers, and doesn't tell me that there are problems with other people's DNS servers (No possible A RRs, or A RRs are lame), and I don't need to connect to the servers to look through the log files. Here's something that came up recently, I thought some of you may appreciate: ----- Forwarded message from root <[EMAIL PROTECTED]> ----- To: [EMAIL PROTECTED] Subject: www 04/07/01:03.02 system check From: root <[EMAIL PROTECTED]> Date: Sat, 07 Apr 2001 03:02:07 -0700 Security Violations =-=-=-=-=-=-=-=-=-= [Sat Apr 7 02:05:02 2001] [error] [client 207.175.129.160] File does not exist: /var/www/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe ----- End forwarded message ----- This came from my webserver. What does it say? Some poor soul connected to my web server (probably with a telnet client), and issued a request for a webpage, hoping that the webserver would crash, and run the program cmd.exe. Luckily, I don't have cmd.exe on my linux web server! ;) Still, what did I do in response? - nslookup the ip address to see if it resolves. (this one doesn't) The domain name may be a dsl or other dialup line, which may be a dead end. However, it may be a business network that always has the same IP, and is thus traceable. - ping the ip to see if it's up. - possibly scan the ip with nmap (this one returned a bunch of open ports, which tells me it's probably running port sentry (www.psionic.com), which tells me that a) it's a unix variant, and b) it may be the computer of one who does regular crack attempts. - contact the internet provider. Since the ip address didn't resolve, I ran tracepath or traceroute to find the IP address and domain name of the upstream provider. In this case it was bbnplanet.net. In another case, the ip address may resolve. If so, I would then contact the administrator of that company. - whois bbnplanet.net. Reveals admin/tech contacts as [EMAIL PROTECTED] - send an email to [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] saying: "This showed up in my log files <example>, a definite crack attempt from your customer or user. Please acknowledge that disciplinary action will be taken." - move on. If it had been a more persistent, or ongoing attack, I would be more persistent with BBN planet, or even their upstream provider (sprint), and other authorities, depending on the extent. In fact, bbnplanet does have an abuse@..., and I received an open ticket from them. On their website, they have a security notice saying, "if you are experiencing an ongoing attack or DOS, call us at 1-888..." Thanks again Mike! Cory
