Re: Security - how to notice compromises.

[Martin P Holland <nospam [at] noether.freeserve.co.uk>]

On Thu, 24 Feb 2000, Barrie Bremner wrote:

> How do folk pick up on attempts at entry to machines?

If you set up a firewall using ipchains you can set it to deny packets based on
IP, port, protocol, and more, and you can log the packets that get denied
so you see what access attempts you foiled.

Here's a random one:
  
Feb 16 20:40:09 emmy kernel: Packet log: ppp-in DENY ppp0 PROTO=6
62.137.45.68:22577 62.136.17.125:12346 L=48 S=0x00 I=44675 F=0x4000 T=121
SYN (#39)

It says that someone is trying to connect (SYN packet) to port 12346 on my
machine using TCP (protocol 6). IIRC there is a standard trojan that lurks on
that port so some script kiddy was trying to connect to that.

The ipchains HOWTO is pretty good but it takes a bit of study to get it
straight. There's a basic firewall at http://www.noether.freeserve.co.uk

atb
Martin

-- 
http://www.shef.ac.uk/~pm1mph



---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.