I love IP Tables....

Gene Heskett gene.heskett at verizon.net
Thu May 31 20:08:11 UTC 2007 

On Tuesday 29 May 2007, jdow wrote:
>From: "David G. Miller" <dave at davenjudy.org>
>
>> So, I'd say the car analogy really fits computers.  Like with cars, you
>> don't have to do everything perfectly all the time but any lapse is
>> *potentially* an accident waiting to happen.  Do it often enough and
>> eventually the accident will happen.  Like with safe driving, the idea is
>> to develop a bunch of safe computing habits like checking what logwatch
>> reports, running chkrootkit from cron, if you can, port scan your network
>> from outside (e.g., visit the local library with a laptop) from time to
>> time, etc.
>
>This brings to mind something that could serve as a really nice
>improvement to logwatch. Most of the messages are easy for someone with
>sysadmin experience or long years of learning by osmosis to interpret.
>How is a person to scale the danger to the computer from these simple
>messages:
>   From 15.134.22.128 - 1 packet to udp(1026)
>   ...
>   From 204.16.211.17 - 55 packets to udp(1026,1027)
>   ...
>   From 208.65.153.251 - 5 packets to tcp(43441,43443,43446)
>   ...
>   From 208.65.153.253 - 11 packets to tcp(49442,49444,49447,49449)
>
>All these fall under the heading:
> Logged 504 packets on interface xxx
>
>Are any of them dangerous? Are they all dangerous? On a scale of 1-10
>which are going to lead to a compromised machine?
>
>Then we have these messages:
> --------------------- Connections (secure-log)
>Begin ------------------------
>
>
> Connections:
>    Service printer [Connection(s) per day]:
>       192.168.xxx.xx2 (xxx): 2 Time(s)
>       Total Connections: 2
>
> ---------------------- Connections (secure-log)
>End -------------------------
>
>
> --------------------- SSHD Begin ------------------------
>
>
> Users logging in through sshd:
>    jdow:
>       192.168.xxx.xx2 (xxx): 1 time
>    root:
>       192.168.xxx.xx2 (xxx): 2 times
>
>
> ---------------------- SSHD End -------------------------
>
>I can guess pretty quickly that these are simply accounting measures.
>That way I can tell if someone is printing off thousands of phony
>$23 bills for donations to Congressional campaigns or something silly
>like that. I can also tell how many times they machine's been accessed
>successfully and nominally who but not for how long. If I see an account
>I do not recognize that's a red flag.
>
>But then we have this:
>   From 207.217.77.42 - 12 packets to udp(53)
>   From 207.217.126.41 - 6 packets to udp(53)
>
>LogWatch does not note a little question here, "Is your software up
>to date? This is a probe for known name server vulnerability in older
>versions of the "bind" package."
>
>Or we have this one:
> WARNING:  Kernel Errors Present
>    hda: dma_intr: error=0x84 { DriveStat ...:  10 Time(s)
>    hda: dma_intr: status=0x51 { DriveReady SeekComplete Error } ...:  10
>Time(s)
>
>Your hard disk appears to be in trouble. (Actually it caught a power
>supply going bad before it managed to kill everything in the computer as
>has happened before. The drive's so far working fine. But I figure it is
>time to replace it, anyway. A modest size drive priced at 3.6 G per buck
>seemed like a decent replacement deal. (The best deal is 4G ber buck. And
>my first hard disks were something like a kilobuck for two 19 Meg Micropolis
>drives and a Morrow Designs controller. And I was in hog heaven then!)

My first hard drive was a ten meg tandon, on a B&B adaptor wrapped around a WD 
ISA interface card, plugged into the MPI on a coco2.  Cost me about 700 
1985ish dollars.  Took me about 6 months to fill that puppy up at 300 baud.  
And I absolutely wallered in it.  Buggier than a 10 day old carcass in the 
Arizona sun though.

>Back on subjects we next have this set:
>    ...
> Rejected 36806 packets on interface eth1
>   From 217.24.240.77 - 36806 packets to tcp(22)
>
> ---------------------- iptables firewall End -------------------------
>
>
> --------------------- pam_unix Begin ------------------------
>
> sshd:
>    Authentication Failures:
>       root (217.24.240.77): 1 Time(s)
>
>
> ---------------------- pam_unix End -------------------------
>
> ...
>
> --------------------- SSHD Begin ------------------------
>
>
> Failed logins from:
>    217.24.240.77: 1 time
>
> ---------------------- SSHD End -------------------------
>
>Now, that might rank up there as a 4 or 5 or so to be concerned about.
>The programmer is obviously an inept amateur. (The ones that only try
>a few hundred to a couple thousand times are the serious ones out to
>crack machines as efficiently as possible and don't waste time where
>they cannot get in.) If the Authentication Failures had shown the same
>36806 additional packets from that one address I'd be in deeper trouble,
>wouldn't I? Maybe that would mean I was hacked? It certainly would mean
>it if the Failed logins from: line had a different and smaller count
>from that same address. If they are the same that's no assurance. That
>is a 9 or 10 level warning.
>
>Somebody needs to collect some "wisdom" from experienced users to develop
>a bit if AI sense to apply to LogWatch that is a digest of "problems"
>rather than simple accounting, a tool so that my 90+ year old mother
>could look at the logs the way she might look at the fuel gauge in her
>car and note there is a problem, call an expert. (It's her own damn
>fault she'd die before calling me - religions get funny that way. {^_-})
>
>> Finally, like with cars, if all you want to do is the computing equivalent
>> of hop in, turn the key and make a run to the grocery store, about all you
>> need to do is scan the gages and idiot lights and do the scheduled
>> maintenance.  On the other hand, if you want to drive like you're James
>> Bond escaping from Specter, you'd better do a little bit more.  All I'd
>> like to see normal users do is the equivalent of scan the idiot lights and
>> do the scheduled maintenance.  That's all.  Conversely, if you want to go
>> beyond just checking e-mail and surfing the 'net, it is your
>> responsibility to make sure that whatever services you open up don't
>> become an invitation to hackers.  It's in your best interest as well as
>> helping others not have to deal with your security lapses.
>
>Exactly - we need the idiot lights I discussed above. We also need to tune
>the idiot lights. There is a very good reason for this message to be
>present:
>
> --------------------- sendmail-largeboxes (large mail spool files)
>Begin ------------------------
>
> Large Mailbox threshold: 40MB (41943040 bytes)
>  Warning: Large mailbox: jdow (122970504)
>
> ---------------------- sendmail-largeboxes (large mail spool files)
>End -------------------------
>
>Yeah, I should tune the quota. But there are reasons not to do that as well.

All I can say is Amen, Joanne, logwatch does need to be a bit more 'aware' of 
what might be important.

>{^_-}   <- Yeah, I admit I am a little up and widdershins of strange.

Shh, darnit, you'll scare the rest of the wannabe wizards away.  And then 
Mikey will get really hungry.  And I wouldn't trust Mikey when he is hungry.

And I just noted the fortune generated sig, truer words were never uttered.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
I knew one thing: as soon as anyone said you didn't need a gun, you'd better
take one along that worked.
		-- Raymond Chandler

More information about the fedora-list mailing list