On Sun, Mar 04, 2001 at 12:30:35PM -0500, Buddy Lee Haystack wrote:
> It may be an attempt at revenge. And all of this happened just days after
> both of my systems denied packets coming into my router from the Internet
> with an address of "10.0.211.58" which even I know enough to block & log,
> and I'm not a security professional.
Well, if you see those packets eighter it is time to switch your ISP -or-
check your configuration. If you would mind, you should send a description
of your network layout and your filtering rules, so we can sort that out.
> Do you security professionals have a statistical program of some sort to
> cull through the log files to tag the most probable real source IP
> addresses? I had to process mine through a perl script, and import them
> into a PostgreSQL database to play with them using SQL commands I typed at
> the keyboard, which was very time consuming & inefficient - I can't type
> worth spit.
I'm using the stat program which is shipped with fwctl, you can also use
professional webtrends diag programs or write your scripts yourself. I'm
also using a reporter which is shipped with snort for IDS, but this is
running only in the DMZ so i dont get all those denied stuff.
I think on my page http://www.freefire.org/ are a few tools for that.
BTW: I consider it generally a bad idea to blackhole "cracker" IPs or
"cracker" countries. This gives you a very false sense of security. Crackers
can use hosts from nearly all networks all over the world, and you usually
have those attacks coming from everywhere. Some more active "scanners" like
@Home network are not realy a security treat as long as your system is
configured thight and recent. (if it is not, dont worry about blocking,
repair your systems!)
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
