jdow wrote:
This brings to mind something that could serve as a really nice improvement to logwatch. Most of the messages are easy for someone with sysadmin experience or long years of learning by osmosis to interpret. How is a person to scale the danger to the computer from these simple messages: From 15.134.22.128 - 1 packet to udp(1026) ... From 204.16.211.17 - 55 packets to udp(1026,1027) ... From 208.65.153.251 - 5 packets to tcp(43441,43443,43446) ... From 208.65.153.253 - 11 packets to tcp(49442,49444,49447,49449) All these fall under the heading: Logged 504 packets on interface xxx Are any of them dangerous? Are they all dangerous? On a scale of 1-10 which are going to lead to a compromised machine?
It shouldn't matter what packets anyone sends at you. If your software does not have bugs they won't cause any particular problems.
--------------------- pam_unix Begin ------------------------ sshd: Authentication Failures: root (217.24.240.77): 1 Time(s)
Well, password guessing can be a problem if you have easily guessed passwords.
Somebody needs to collect some "wisdom" from experienced users to develop a bit if AI sense to apply to LogWatch that is a digest of "problems" rather than simple accounting, a tool so that my 90+ year old mother could look at the logs the way she might look at the fuel gauge in her car and note there is a problem, call an expert.
If you see outbound connections you don't expect it's time to be concerned. On the inbound side it doesn't make sense to care about what comes at you. Just assume everything possible is going to come at you. If you know a pattern that is going to cause trouble, you should fix that particular problem so you don't have to care about it again. If you are running an OS that can't be fixed then block everything you don't know is safe with a firewall.
-- Les Mikesell lesmikesell@xxxxxxxxx