From: "David G. Miller" <dave@xxxxxxxxxxxxx>
So, I'd say the car analogy really fits computers. Like with cars, you
don't have to do everything perfectly all the time but any lapse is
*potentially* an accident waiting to happen. Do it often enough and
eventually the accident will happen. Like with safe driving, the idea is
to develop a bunch of safe computing habits like checking what logwatch
reports, running chkrootkit from cron, if you can, port scan your network
from outside (e.g., visit the local library with a laptop) from time to
time, etc.
This brings to mind something that could serve as a really nice
improvement to logwatch. Most of the messages are easy for someone with
sysadmin experience or long years of learning by osmosis to interpret.
How is a person to scale the danger to the computer from these simple
messages:
From 15.134.22.128 - 1 packet to udp(1026)
...
From 204.16.211.17 - 55 packets to udp(1026,1027)
...
From 208.65.153.251 - 5 packets to tcp(43441,43443,43446)
...
From 208.65.153.253 - 11 packets to tcp(49442,49444,49447,49449)
All these fall under the heading:
Logged 504 packets on interface xxx
Are any of them dangerous? Are they all dangerous? On a scale of 1-10
which are going to lead to a compromised machine?
Then we have these messages:
--------------------- Connections (secure-log)
Begin ------------------------
Connections:
Service printer [Connection(s) per day]:
192.168.xxx.xx2 (xxx): 2 Time(s)
Total Connections: 2
---------------------- Connections (secure-log)
End -------------------------
--------------------- SSHD Begin ------------------------
Users logging in through sshd:
jdow:
192.168.xxx.xx2 (xxx): 1 time
root:
192.168.xxx.xx2 (xxx): 2 times
---------------------- SSHD End -------------------------
I can guess pretty quickly that these are simply accounting measures.
That way I can tell if someone is printing off thousands of phony
$23 bills for donations to Congressional campaigns or something silly
like that. I can also tell how many times they machine's been accessed
successfully and nominally who but not for how long. If I see an account
I do not recognize that's a red flag.
But then we have this:
From 207.217.77.42 - 12 packets to udp(53)
From 207.217.126.41 - 6 packets to udp(53)
LogWatch does not note a little question here, "Is your software up
to date? This is a probe for known name server vulnerability in older
versions of the "bind" package."
Or we have this one:
WARNING: Kernel Errors Present
hda: dma_intr: error=0x84 { DriveStat ...: 10 Time(s)
hda: dma_intr: status=0x51 { DriveReady SeekComplete Error } ...: 10
Time(s)
Your hard disk appears to be in trouble. (Actually it caught a power
supply going bad before it managed to kill everything in the computer as
has happened before. The drive's so far working fine. But I figure it is
time to replace it, anyway. A modest size drive priced at 3.6 G per buck
seemed like a decent replacement deal. (The best deal is 4G ber buck. And
my first hard disks were something like a kilobuck for two 19 Meg Micropolis
drives and a Morrow Designs controller. And I was in hog heaven then!)
Back on subjects we next have this set:
...
Rejected 36806 packets on interface eth1
From 217.24.240.77 - 36806 packets to tcp(22)
---------------------- iptables firewall End -------------------------
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (217.24.240.77): 1 Time(s)
---------------------- pam_unix End -------------------------
...
--------------------- SSHD Begin ------------------------
Failed logins from:
217.24.240.77: 1 time
---------------------- SSHD End -------------------------
Now, that might rank up there as a 4 or 5 or so to be concerned about.
The programmer is obviously an inept amateur. (The ones that only try
a few hundred to a couple thousand times are the serious ones out to
crack machines as efficiently as possible and don't waste time where
they cannot get in.) If the Authentication Failures had shown the same
36806 additional packets from that one address I'd be in deeper trouble,
wouldn't I? Maybe that would mean I was hacked? It certainly would mean
it if the Failed logins from: line had a different and smaller count
from that same address. If they are the same that's no assurance. That
is a 9 or 10 level warning.
Somebody needs to collect some "wisdom" from experienced users to develop
a bit if AI sense to apply to LogWatch that is a digest of "problems"
rather than simple accounting, a tool so that my 90+ year old mother
could look at the logs the way she might look at the fuel gauge in her
car and note there is a problem, call an expert. (It's her own damn
fault she'd die before calling me - religions get funny that way. {^_-})
Finally, like with cars, if all you want to do is the computing equivalent
of hop in, turn the key and make a run to the grocery store, about all you
need to do is scan the gages and idiot lights and do the scheduled
maintenance. On the other hand, if you want to drive like you're James
Bond escaping from Specter, you'd better do a little bit more. All I'd
like to see normal users do is the equivalent of scan the idiot lights and
do the scheduled maintenance. That's all. Conversely, if you want to go
beyond just checking e-mail and surfing the 'net, it is your
responsibility to make sure that whatever services you open up don't
become an invitation to hackers. It's in your best interest as well as
helping others not have to deal with your security lapses.
Exactly - we need the idiot lights I discussed above. We also need to tune
the idiot lights. There is a very good reason for this message to be
present:
--------------------- sendmail-largeboxes (large mail spool files)
Begin ------------------------
Large Mailbox threshold: 40MB (41943040 bytes)
Warning: Large mailbox: jdow (122970504)
---------------------- sendmail-largeboxes (large mail spool files)
End -------------------------
Yeah, I should tune the quota. But there are reasons not to do that as well.
{^_-} <- Yeah, I admit I am a little up and widdershins of strange.