RE: [ShareTheNet] Firewall monitoring and logging?

John Lombardo Fri, 2 Jul 1999 18:00:44 -0700
Hi Bob and Mark,

I've already made one attempt to do this by parsing the
kernel log, and was having some success, but the changes I
made actually made the machine vulnerable to attack so I
abandoned them.  I'm going to make a second attempt in the
kernel space itself where I don't have to parse one text
string per packet received.  It should be a lot faster and
remove any vulnerability.

The way it'll probably end up looking is: You'll have a new
menu entry that will give you a table that looks something
like this:

 Port Prot IP               Port    Ago
----- ---- --------------- ----- ------
   23 tcp  192.215.123.124 23811    235
   25 tcp  192.215.123.124 23812    190
   80 tcp  192.215.123.124 23813    124

Meaning that someone at IP address 192.215.123.124 tried
telnet, smtp and http one after the other a few minutes ago.
If you're being port scanned, then this could end up being
quite long.  But it'll be obvious.

Regards,
John

>
> Yes, that would be very helpful.  I HATE having
> to run firewall software on
> all my systems just to make up for the fact that
> STN does not provide decent
> reporting.  Jhn, I hope you will consider this a
> high priority for your next
> release.
>
>
>
> Cheers,
>
> Bob Jackson
>
> ----- Original Message -----
> From: Mark Haas <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, July 01, 1999 8:13 PM
> Subject: [ShareTheNet] Firewall monitoring and logging?
>
>
> > John,
> >
> > Are you considering perhaps adding port
> monitoring (source IP and name,
> remote
> > and local port) and logging to a future version
> of STN so we can detect
> > intrusion attempts and their source?
> >
> > Also, just noticed the for Mail on the Advanced
> > Setup/Network/Configure/Inbound Services menu
> appears to enable only port
> 25
> > (it does not seem to enable port 110).  Perhaps
> it should more accurately
> be
> > labelled SMTP instead of Mail.
> >
> > Mark
> >
> > -------------Opinions above, facts below-------------
> >
> >               Mark Haas    Mark Haas & Associates
> >     +1-510-525-7882 vox    net: [EMAIL PROTECTED]
> >     +1-415-704-3070 fax    web: www.haas.com
> > -----------------------------------------------------
>
>
>
> _______________________________________________
> ShareTheNet maillist  -  [EMAIL PROTECTED]
> http://www.webserv.com/mailman/listinfo/sharethenet
>


_______________________________________________
ShareTheNet maillist  -  [EMAIL PROTECTED]
http://www.webserv.com/mailman/listinfo/sharethenet
RE: [ShareTheNet] Firewall monitoring and logging?

Reply via email to
