Folks, I am getting slammed with attacks to my site for which most of the attempts are reported to me via my network appliance but of course, that is only for those attacks that the NA knows about - so I am just getting a bit concerned. Those that do not get through are things like certain corrupted-packets, port-spoofing, port-scanning, unexposed port-attacks, DOS, DDOS as provided by the NA but the ones that do get through are exposed port attacks, broadcast packets, and other things God know what. These are attempting to attack systems inside my firewall. As for the Fedora box specifically, FireStarter is a nice tool for easy management of the IPtables, and one nice feature is the ablility to show in "real time" successful connections and denials of connections which is nice but not comprehensive enough. So, I am wondering is there is a really good port analyzer or security tool that can show in (near) realtime, illegal connection attempts and the ability to map these offender(s) to the origin of these attacks with automatic abuse email deliveries to ISPs that are responsible for their networks? I am not looking for port analyzer per se, but if it can be used with graphical displays of attackers as they unfold, that would be nifty. I an thinking along the lines of an old(?) program called "black ice" with additional vendor support that tied into it for graphical display with world maps - it was really cool and it had the ability to generated abuses data for email delivery and also allowed the administrator to preview for manual or automatic delivery. Perhaps what I am seeking is an IDS (Intrusion Detection System) program for linux? I am not looking for commercial solutions as I do not have a tree that grows money :-( I got some interesting attack attempts from LogWatch and thought I would share this information and it surprised me a little esp. WRT program argument level attacks... I never realized that one must be fairly diligent when it comes to security considerations. Anyway, here it is: /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) /blog/xmlrpc.php: 1 Time(s) /blog/xmlsrv/xmlrpc.php: 1 Time(s) /blogs/xmlsrv/xmlrpc.php: 1 Time(s) /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s) /drupal/xmlrpc.php: 1 Time(s) /favicon.ico: 1 Time(s) /phpgroupware/xmlrpc.php: 1 Time(s) /wordpress/xmlrpc.php: 1 Time(s) /xmlrpc.php: 2 Time(s) /xmlrpc/xmlrpc.php: 1 Time(s) /xmlsrv/xmlrpc.php: 1 Time(s) Note that this is attempts from the httpd side, and I have yet to see if LogWatch is capable of tracking and reporting illegal attempts to access programs and run them remotely expecially if it should not be allowed. Please let me know of your security experiences and recommendations! Kind regards, Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.12.8/165 - Release Date: 11/9/2005
