Re: Advice on using intrusion detection

On Sun, Nov 22, 2020 at 1:14 AM Nick Holland wrote: > > On 2020-11-20 17:15, Erik Lauritsen wrote: > > Is it recommended to run some kind of intrusion detection on an > > OpenBSD router/firewall? > > > > I suspect that any kind of system like Snort or Suricat

Re: Advice on using intrusion detection

> 22. nov. 2020 kl. 02:02 skrev Predrag Punosevac : > OpenBSD is all about prevention and exploit mitigation. Code simplicity, > correctness, and code audit are all examples of intrusion prevention > methods. They don't sound very sexy :-) If you are super new to OpenBSD >

Re: Advice on using intrusion detection

On 2020-11-20 17:15, Erik Lauritsen wrote: > Is it recommended to run some kind of intrusion detection on an > OpenBSD router/firewall? > What do you mean by "some kind of intrusion detection" (IDS). At the risk of sounding patronizing I would start by clarifying terminol

Re: Advice on using intrusion detection

On 2020-11-20 17:15, Erik Lauritsen wrote: > Is it recommended to run some kind of intrusion detection on an > OpenBSD router/firewall? > > I suspect that any kind of system like Snort or Suricata will give a > lot of false positives? MY philosophy is it is much easier to ke

Advice on using intrusion detection

Is it recommended to run some kind of intrusion detection on an OpenBSD router/firewall? I suspect that any kind of system like Snort or Suricata will give a lot of false positives? Kind regards, Erik

Re: DNS hijacking (was Re: Is this an intrusion?)

On 2017-06-19, Rui Ribeiro wrote: > Depending on how "evil" the ISP is, or how you want to obfuscate your > metadata, you might want to have a look at dnscrypt > https://blog.ipredator.se/openbsd-dnscrypt-howto.html Yes, that's an option, though it does just move your trust

Re: DNS hijacking (was Re: Is this an intrusion?)

Hi, Depending on how "evil" the ISP is, or how you want to obfuscate your metadata, you might want to have a look at dnscrypt https://blog.ipredator.se/openbsd-dnscrypt-howto.html On 18 June 2017 at 10:59, Stuart Henderson wrote: > On 2017-06-17, Paul Suh

Re: DNS hijacking (was Re: Is this an intrusion?)

On 18/06/2017 10:59, Stuart Henderson wrote: > On 2017-06-17, Paul Suh wrote: >> Folks,=20 >> >> My understanding of the way that this is done is by returning a CNAME = >> when the ISP's DNS recursive DNS server would otherwise return a = >> NXDOMAIN result, followed by a

Re: Is this an intrusion?

Just for info: So I rang Virgin to ask them to turn off their ANES for me (Advanced Network Error Search). 2 phone calls, 57 minutes and 7 advisors later they managed to find someone who knew what I was talking about. That's why I don't phone them unless I see no option. Now if I run with their

Re: DNS hijacking (was Re: Is this an intrusion?)

On 2017-06-17, Paul Suh wrote: > Folks,=20 > > My understanding of the way that this is done is by returning a CNAME = > when the ISP's DNS recursive DNS server would otherwise return a = > NXDOMAIN result, followed by a HTTP 302 when the browser attempts to = > reach the

Re: Is this an intrusion?

g to /etc/hosts for things which you want to "block" is fairly > common practice but I've never been a huge fan.. For this case where > you're just working around the ISP resolver hijacking NXDOMAIN > responses I'd usually take the workaround of running my own local > recursive DNS se

Re: Is this an intrusion?

ed for it. Adding to /etc/hosts for things which you want to "block" is fairly common practice but I've never been a huge fan.. For this case where you're just working around the ISP resolver hijacking NXDOMAIN responses I'd usually take the workaround of running my own local recursive

DNS hijacking (was Re: Is this an intrusion?)

On Jun 16, 2017, at 9:32 PM, Joe Holden wrote: > > It is done by the VM dns servers, if you visit a domain that doesn't > exist you should be directed to the advanced search page, there *should* > be a link to disable it there, but if not login to your account and >

Re: Is this an intrusion?

On 17/06/17 09:27, Stuart Henderson wrote: > On 2017-06-16, Maurice McCarthy wrote: > > Ooops! ... Well, I moved the .Xauthority file aside and restarted X to > > create a new one. Obviously it has one line with my hostname in it. But > > > > $ xauth list > >

Re: Is this an intrusion?

On 2017-06-16, Maurice McCarthy wrote: > Ooops! ... Well, I moved the .Xauthority file aside and restarted X to > create a new one. Obviously it has one line with my hostname in it. But > > $ xauth list > fresh.yem/unix:0 MIT-MAGIC-COOKIE-1 ... >

Re: Is this an intrusion?

On 17/06/17 02:32, Joe Holden wrote: > > > > To Joe Holden, > > > > Thanks for the tip about NXDOMAIN queries. Don't see where to unset in > > the router but I'm guessing the hosts file entry above should do the > > same thing. > > > > I'll keep looking around to reassure myself anyhow > > >

Re: Is this an intrusion?

08ed0926482c51f5cb386e28a0ea >>> >>> >>> Virgin Media is my ISP. Is this an intrusion into my system please? I >>> ran xauth remove ... just for the sake of it anyhow. >> >> well, even if it wasn't, you just posted the secret key to a public list, so >> probably w

Re: Is this an intrusion?

On 15/06/17 14:13, Ted Unangst wrote: > Maurice McCarthy wrote: > > Hi, > > > > $ xauth list > > ... > > advancedsearch.virginmedia.com:0 MIT-MAGIC-COOKIE-1 > > f3aa08ed0926482c51f5cb386e28a0ea > > > > > > Virgin Media is my ISP. Is

Re: Is this an intrusion?

Maurice McCarthy wrote: > Hi, > > $ xauth list > ... > advancedsearch.virginmedia.com:0 MIT-MAGIC-COOKIE-1 > f3aa08ed0926482c51f5cb386e28a0ea > > > Virgin Media is my ISP. Is this an intrusion into my system please? I > ran xauth remove ... just for the s

Re: Is this an intrusion?

82c51f5cb386e28a0ea >> >> >> Virgin Media is my ISP. Is this an intrusion into my system please? I >> ran xauth remove ... just for the sake of it anyhow. >> >> Thanks >> Moss > > > Maybe. Are there other hints in the system log files, history files around >

Re: Is this an intrusion?

On Thu, Jun 15, 2017 at 9:12 AM Maurice McCarthy <mansel...@gmail.com> wrote: > Hi, > > $ xauth list > ... > advancedsearch.virginmedia.com:0 MIT-MAGIC-COOKIE-1 > f3aa08ed0926482c51f5cb386e28a0ea > > > Virgin Media is my ISP. Is this an intrusion into my sy

Is this an intrusion?

Hi, $ xauth list ... advancedsearch.virginmedia.com:0 MIT-MAGIC-COOKIE-1 f3aa08ed0926482c51f5cb386e28a0ea Virgin Media is my ISP. Is this an intrusion into my system please? I ran xauth remove ... just for the sake of it anyhow. Thanks Moss

ftpd intrusion?

Hello I have a ftpd server OBSD-4.9, and i found this: # last ftp ftp 62.234.84.203.hostway.com.au Thu May 12 12:40 - 12:40 (00:00) --(it is not me) Could it means that i have an intrusion in the server? Where should i see? and what should i care, please? # ls -laR /home

Re: ftpd intrusion?

2011/5/12 fqui nonez fquinon...@gmail.com: Hello I have a ftpd server OBSD-4.9, and i found this: # last ftp ftp 62.234.84.203.hostway.com.au Thu May 12 12:40 - 12:40 (00:00) --(it is not me) Could it means that i have an intrusion in the server? Where should i see

Post-intrusion forensics

For our Windows/Solaris/Linux servers, we've had PWC say that they're qualified and able to do post-intrusion forensics on our server(s). I'm told this will go a long way in making everyone in our company as well as our customers feel better. Partly because it's an outside party verification

Re: Post-intrusion forensics

On Thu, May 08, 2008 at 09:02:48AM -0600, Chris Cameron wrote: For our Windows/Solaris/Linux servers, we've had PWC say that they're qualified and able to do post-intrusion forensics on our server(s). I'm told this will go a long way in making everyone in our company as well as our customers