[techtalk] Firewalls
Nicole Zimmerman
colby at wsu.edu
Mon Sep 25 10:24:31 EST 2000
> Fex: ssh from my machine is ok, and also a single attempt from evil.isp.com.
> But if evil.isp.com sshs twenty times to five different users, we want an
> alarm.
Just for this part of the problem, I have found logcheck to be beautiful
on my debian system. You can set things to parse out of logfiles (and to
not parse out!), and an email is sent after some sort of security
violation takes place.
I am not sure just *how* customizable it is, though, in terms of not
responding to one of something but responding to 20 of something. I see
all incorrect login attempts, all root logins, all sudo'ed activity,
kernel errors, I think it's everything logged via syslogd (though it seems
to be more?).
The packages.debian.org description says it is a part of the Abacus
Project of security tools, and a bunch of stuff including the Firewall
Toolkit (c) by Trusted Information Systems. (Incidentally, I found the
firewall toolkit at http://www.tis.com/research/software/).
Just a little tidbit from me. Logcheck has made it a lot easier for me to
monitor logs. It's available on freshmeat as a tarball also.
-nicole
More information about the Techtalk
mailing list