On Tue, Feb 19, 2002 at 05:26:01PM +1100, Alan L Tyree wrote:
> I have just switched to a no-time-limit dial up connection. I strikes
> me that I should be keeping a closer look on log files than before.
Have a look at logsentry, formerly known as logcheck:
http://www.psionic.com/products/logsentry.html
> But what files should I be looking at?
Logsentry checks a number of files by default. I don't remember whether
it included apache and ftp server logs though, but it's easy enough to
add them, if you're running those services.
> What would show up as a hack attempt?
How long is a piece of string? Scans for open ports followed by
connections to any ports found open (hence the need for a good
firewall) are the most common. The ones I see most often here are
ports 137- 139 (Windows file sharing and name service), 111 (rpcd), 515
(lpd), 80 (mostly code red), 3128/8180 (proxy), 23 (telnetd), 22 (sshd)
and 21 (ftpd, usually looking for anonymous ftp servers), 25 (looking
for open mail relays).
Don't run any of these services without suitable firewalling to prevent
access from outside, except sshd which is fine as long as you're using
the latest openssh. In fact, for a home system, there's probably no
need to have anything but port 22 open to the outside world (and only
if you need remote access). You may need to allow incoming connections
to ports 1024 and above for outgoing ftp, but if you use a client
capable of passive ftp (ncftp, wget, any web browser), you don't need
to do this.
I see a dozen or so scans each day, not including ports 80 and
137-139. I could simply drop the packets without logging them, but I
like to keep an eye on what's happening.
Subscribe to your distribution's security update mailing list and apply
updates promptly. Consider subscribing to bugtraq too.
Run tripwire. Run nessus against your machine from somewhere outside
your firewall (or get someone you trust to do it) and see what shows
up. Fix any vulnerabilities it finds. Run it from within your network
to see what else will be exposed if your firewall is ever broken (it's
not hard to make a mistake when editing your firewall script and expose
far more than you ever intended). Fix everything you find.
Remember, you can never be too paranoid. They really *are* out to get
you.
Cheers,
John
--
The truly paranoid administrator may wish to place motion detectors in the
air ducts.
-- Practical UNIX & Internet Security, 2nd Edition
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
