1. You are not sure about the destination ports involved.
2. You don't report the source ports involved.
3. You include cryptic references to system behavior you do not describe ("Discounting PC crash and power cuts", whatever that means ... are you saying these things happened coincident with the troublesome traffic? or that they did not happen?).
With those disclaimers understood ...
A. Whether the logs indicate an attack or not, they do not suggest a *successful* attack. Unless, of course, you saw system or connectivity failures that you did not tell us about.
B. Port scans are a commonplace on the Internet. Personally, I can't be bothered dealing with them, beyond having a good firewall and secure service daemons in place. If you use LaBrea, do you really intend to spend time reviewing its results regularly?
C. For security updates, you are pretty much dependent on Jacques keeping Bering up to date, unless you want to install your own Bering development system (there are Bering docs about this on the LEAF site) and recompile apps yourself. (If you do, be sure to pass them on to Jacques, since there is no point in duplicating this effort.)
D. Bering's logging behavior is pretty standard for Unix/Linux, controlled by /etc/syslog.conf . To reduce or remove duplicate logging, edit it (then back up etc.lrp). You can also modify what packets are logged at all through Shorewall, but a Shorewall user (rather than me) is going to have to supply the details.
At 12:12 PM 2/11/03 +0000, James Neave wrote:
Hi, In the last few days I have had some arseholes beating on my Bering box, sending 1000's of UDP packets at one port and such like. It filled the logs, but that was it. Then I blacklisted the IPs.A few questions about this. ------------------------------ The denied packets were logged in messages, syslog and a third log that I forget the name of, the Daemon log I think. It ran out of space at 2500 denied messages. How can I make it only log to one of these files to save space? They beat on port 39967 (not *entirely* sure about that number), is that significant? Or was it just a failed DoS attack? ------------------------------ Something strange happened this morning. Last night a dozen IPs sent 360 odd packets to another port, round about 13300, but this morning the log was back down to 9 packets. This only *might* have been an attack, It could have something to do with me resuming my use of ICQ. Discounting PC crash and power cuts, could this be a sign of a successful attack? My PC is on at home right now and I'm a little worried. There is NO remote access to the firewall with no sshd or telnetd running. I have a couple of non-standard ports forwarded to my local IP, but so far nobody has scanned all my ports, just 2, possibly 3 occurrences of people beating on the 'wall. ------------------------------ How can I keep my firewall up to date with the latest security fixes? ------------------------------ I'm going to install LaBrea when I get home, a good idea, yes? Will it work on 2.4 kernels? ------------------------------ Argh, now I'm sitting at work panicking....
-- -------------------------------------------"Never tell me the odds!"-------- Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] ------------------------------------------------------------------------------- ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
