[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Portsentry - Definitions
- Subject: Re: [cobalt-users] Portsentry - Definitions
- From: abc-123@xxxxxxxxxxx
- Date: Mon Mar 19 22:48:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Does anyone know support phone number for cobalt?
David
----- Original Message -----
From: <flash22@xxxxxxx>
To: "Cobalt-Users@List. Cobalt. Com" <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Monday, March 19, 2001 11:09 AM
Subject: Re: [cobalt-users] Portsentry - Definitions
> On Mon, 19 Mar 2001, Jay Jennings wrote:
>
> > I get several emails a day showing Active System Attack Alerts and
Security
> > Violations.
> >
> > Other than the fact that someone's poking around and trying to get in,
do
> > those emails tell me other stuff I should care about? Do they give me
hints
> > of places I should be shoring up against attack?
>
> yes, they give you an IP address that you should be searching for in the
> log files to see if they did something with a service that *wasn't*
> monitored by portsentry ;)
>
> Hints about what to shore up are better found on the security lists etc,
> by the time you get a message from your machine that you need to fix
> something it's gonna be too late -/
>
> > I've looked for details of what the messages mean, but haven't found the
> > "Newbie Guide to AttackAlerts."
>
> And you probably won't, as exactly what they mean depends on what was
> accessed, and that in turn depends how that service normally works, but at
> a minimum look the port number up and see what service they would have
> accessed if it had been there, that at least tels you what they were
> hoping to do...
>
> I'd be more concerned about the second types of messages, what exactly
> are you getting for 'Security violations'? attempts to log in ?
> That can sometimes be a hint someone thinks there is in fact some way
> in...
>
> Or just that they are totally clueless... -/
>
> Short version, the small email alerts are mostly usefull to tell you you
> should go looking to see what was attempted, if it's nothing but a stray
> access to a monitored port,it's minor , really....but you won't know till
> you go looking at logs for odd errors...(which in turn means you have to
> know what constitutes an 'odd error' ;)
>
> for example, this is junk:
>
> -ERR Unknown command: "top".
>
> this is 'noteworthy but probably nothing', people forget their passwords,
> mail programs zap them and people don't notice...
>
> -ERR [AUTH] Password supplied for "info" is incorrect.
>
> and this is an actual attempt to gain access
>
> - SECURITY VIOLATION: root login attempted.
> so'd this
> -ERR [AUTH] Access is blocked for UIDs below 10
>
> And this is might be very serious:
> -ERR Unknown command: "m^*(d6%$".
>
> Sometimes it's harder tho, this is ok, if it only happens once
>
> Received (6): "expn" [pop_get_command.c:87]
>
> But if you see hundreds of them , someone is fishing for usernames ;)
>
> This is noteworthy...pop clients don't send illegal commands in general ;)
> (but people playing with the server do)
>
> [108] Received (5): "\" [pop_get_command.c:87]
>
> Except sometimes they do...
> -ERR Unknown command: "xsender".
>
> I doubt this helps much ;) The point is to really know what's going on,
> you need to spend some time seeing what the various programs normally do,
> so you recognize when they are doing something they aren't normally
> supposed to do, then you have an idea what's really happening when someone
> is playing around with your server...
>
> gsh
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users