jdow wrote:
This brings to mind something that could serve as a really nice
improvement to logwatch. Most of the messages are easy for someone with
sysadmin experience or long years of learning by osmosis to interpret.
How is a person to scale the danger to the computer from these simple
messages:
From 15.134.22.128 - 1 packet to udp(1026)
...
From 204.16.211.17 - 55 packets to udp(1026,1027)
...
From 208.65.153.251 - 5 packets to tcp(43441,43443,43446)
...
From 208.65.153.253 - 11 packets to tcp(49442,49444,49447,49449)
All these fall under the heading:
Logged 504 packets on interface xxx
Are any of them dangerous? Are they all dangerous? On a scale of 1-10
which are going to lead to a compromised machine?
It shouldn't matter what packets anyone sends at you. If your software
does not have bugs they won't cause any particular problems.
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (217.24.240.77): 1 Time(s)
Well, password guessing can be a problem if you have easily guessed
passwords.
Somebody needs to collect some "wisdom" from experienced users to develop
a bit if AI sense to apply to LogWatch that is a digest of "problems"
rather than simple accounting, a tool so that my 90+ year old mother
could look at the logs the way she might look at the fuel gauge in her
car and note there is a problem, call an expert.
If you see outbound connections you don't expect it's time to be
concerned. On the inbound side it doesn't make sense to care about what
comes at you. Just assume everything possible is going to come at you.
If you know a pattern that is going to cause trouble, you should fix
that particular problem so you don't have to care about it again. If you
are running an OS that can't be fixed then block everything you don't
know is safe with a firewall.
--
Les Mikesell
lesmikesell@xxxxxxxxx
