[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Lame Server messages



Enrique wrote:
> Graeme, I would love to setup LogCheck to ignore the Lame 
> server and the "no such user 'anonymous' " check that Active
> Monitor does every 15 minutes. But I'm no techie and don't
> know how to do it. Could you possibly give the command string
> to enter for LogCheck to ignore these two messages?

<racks brain for details... then goes to Psionic for documentation :) >

Here goes, from the logcheck INSTALL file:

==========================
logcheck.violations.ignore -- This file contains words that are reverse
searched against the logcheck.violations file. If these words are found,
that entry is not reported. An example of this are the following log
entries:

Feb 28 21:00:08 nemesis sendmail[5475]: VAA05473: to=crowland, ctladdr=root
(0/0), delay=00:00:02, xdelay=00:00:01, mailer=local, stat=refused

Feb 28 22:13:53 nemesis rshd: refused connect from hacker@xxxxxxxx:1490

The top entry is from sendmail and is a fairly common error, the stat line
indicates that the remote host refused connections (stat=refused). This can
happen for a variety of reasons and generally is not a problem.

The bottom line however indicates that a person (hacker@xxxxxxxx) has tried
unsuccessfully to start an rsh session on my machine, this is bad (of
course you shouldn't be running rshd to begin with).

The logcheck.violations file will find the word 'refused' and will flag it
to be logged, however this will report both instances as being bad and you
will get false alarms from sendmail (both had the word refused). By putting
the following in the logcheck.violations.ignore file you tell logcheck to
ignore the sendmail problem and it will only report to you the bad rsh
connection:

(in logcheck.violations.ignore)

mailer=local, stat=refused

This will prevent reports from any line that contains "refused" but has the
rest of the keywords "mailer=local, stat=refused." This is of course pretty
basic, and not very intelligent, however you must remember that by forcing
you to be specific in what you ignore, you will not overlook something
important. A word of caution though, if you don't pick a long enough string
to put in the logcheck.violations.ignore file then you could ignore
significant events. Be very very careful what you put in here. The default
file has only one entry in it to allow grep to run. Tune it to your system
carefully! If the above did not make sense at all, leave the file as it is.

logcheck.ignore -- This file is the catch-all file for words to look for in
the logs and to NOT REPORT. Again be specific with what you want to ignore
and go easy on the wildcards. Anything that does not match what is in this
file is reported (so you don't risk missing anything) as "Unusual System
Activity." The default is again BSDish and biased towards FWTK and TCP
Wrappers.
==========================

So you put the entries into logcheck.ignore and logcheck.ignore.violations.
I have no idea where these are on your system, so track 'em down and use
them.

> It would be helpful if there was an FAQ for some of the strange error 
> messages which are generated due to the Cobalt interface. I know the 
> first time I looked at my logs I thought, "Oh, my God. I've 
> been hacked!"

OK, I'm about to send a message regarding log entries. I've submitted it to
Cobalt to see if I can get it in the knowledgebase. Hold your breath :)

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC