[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Portsentry - Definitions
- Subject: Re: [cobalt-users] Portsentry - Definitions
- From: flash22@xxxxxxx
- Date: Mon Mar 19 22:11:01 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Mon, 19 Mar 2001, Jay Jennings wrote:
> I get several emails a day showing Active System Attack Alerts and Security
> Violations.
>
> Other than the fact that someone's poking around and trying to get in, do
> those emails tell me other stuff I should care about? Do they give me hints
> of places I should be shoring up against attack?
yes, they give you an IP address that you should be searching for in the
log files to see if they did something with a service that *wasn't*
monitored by portsentry ;)
Hints about what to shore up are better found on the security lists etc,
by the time you get a message from your machine that you need to fix
something it's gonna be too late -/
> I've looked for details of what the messages mean, but haven't found the
> "Newbie Guide to AttackAlerts."
And you probably won't, as exactly what they mean depends on what was
accessed, and that in turn depends how that service normally works, but at
a minimum look the port number up and see what service they would have
accessed if it had been there, that at least tels you what they were
hoping to do...
I'd be more concerned about the second types of messages, what exactly
are you getting for 'Security violations'? attempts to log in ?
That can sometimes be a hint someone thinks there is in fact some way
in...
Or just that they are totally clueless... -/
Short version, the small email alerts are mostly usefull to tell you you
should go looking to see what was attempted, if it's nothing but a stray
access to a monitored port,it's minor , really....but you won't know till
you go looking at logs for odd errors...(which in turn means you have to
know what constitutes an 'odd error' ;)
for example, this is junk:
-ERR Unknown command: "top".
this is 'noteworthy but probably nothing', people forget their passwords,
mail programs zap them and people don't notice...
-ERR [AUTH] Password supplied for "info" is incorrect.
and this is an actual attempt to gain access
- SECURITY VIOLATION: root login attempted.
so'd this
-ERR [AUTH] Access is blocked for UIDs below 10
And this is might be very serious:
-ERR Unknown command: "m^*(d6%$".
Sometimes it's harder tho, this is ok, if it only happens once
Received (6): "expn" [pop_get_command.c:87]
But if you see hundreds of them , someone is fishing for usernames ;)
This is noteworthy...pop clients don't send illegal commands in general ;)
(but people playing with the server do)
[108] Received (5): "\" [pop_get_command.c:87]
Except sometimes they do...
-ERR Unknown command: "xsender".
I doubt this helps much ;) The point is to really know what's going on,
you need to spend some time seeing what the various programs normally do,
so you recognize when they are doing something they aren't normally
supposed to do, then you have an idea what's really happening when someone
is playing around with your server...
gsh