I love IP Tables....

[Les Mikesell]

jdow wrote:

> This brings to mind something that could serve as a really nice
> improvement to logwatch. Most of the messages are easy for someone with
> sysadmin experience or long years of learning by osmosis to interpret.
> How is a person to scale the danger to the computer from these simple
> messages:
>   From 15.134.22.128 - 1 packet to udp(1026)
>   ...
>   From 204.16.211.17 - 55 packets to udp(1026,1027)
>   ...
>   From 208.65.153.251 - 5 packets to tcp(43441,43443,43446)
>   ...
>   From 208.65.153.253 - 11 packets to tcp(49442,49444,49447,49449)
> 
> All these fall under the heading:
> Logged 504 packets on interface xxx
> 
> Are any of them dangerous? Are they all dangerous? On a scale of 1-10
> which are going to lead to a compromised machine?

It shouldn't matter what packets anyone sends at you.  If your software 
does not have bugs they won't cause any particular problems.


> --------------------- pam_unix Begin ------------------------
> sshd:
>    Authentication Failures:
>       root (217.24.240.77): 1 Time(s)

Well, password guessing can be a problem if you have easily guessed 
passwords.

> Somebody needs to collect some "wisdom" from experienced users to develop
> a bit if AI sense to apply to LogWatch that is a digest of "problems"
> rather than simple accounting, a tool so that my 90+ year old mother
> could look at the logs the way she might look at the fuel gauge in her
> car and note there is a problem, call an expert.

If you see outbound connections you don't expect it's time to be 
concerned.  On the inbound side it doesn't make sense to care about what 
comes at you. Just assume everything possible is going to come at you. 
If you know a pattern that is going to cause trouble, you should fix 
that particular problem so you don't have to care about it again. If you 
are running an OS that can't be fixed then block everything you don't 
know is safe with a firewall.

-- 
   Les Mikesell
    lesmikesell at gmail.com