[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Logcheck report
- Subject: RE: [cobalt-users] Logcheck report
- From: "Tim Lawson" <timl@xxxxxxxxxxxxxx>
- Date: Tue May 29 17:00:05 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Additional info for those who know better than me about Linux...
I played with this today and found it interesting to try this...
Using Webalizer 2.01 and LogCheck-1.1.1 on my RAQ4r
----------------------------------------------------------------------------
----
(1) Execute the LogCheck from the /etc/cron.hourly (If that's where you have
it)
then
(2) Execute the Webalizer.pl in the /etc/cron.daily
then
(3) Execute the LogCheck in /etc/cron.hourly again...
----------------------------------------------------------------------------
----
I did this as it seemed if I ran LogCheck manually at say 5min intervals
there was little data or no email generated at all if no traffic had been
recorded. I found it interesting that most, if not all, my 'Lame server' and
'Bad Referral' entries are created again when I run LogCheck, Webalizer and
LogCheck again...
Is it that Webalizer is creating these errors in my LogCheck because of
URL's and IP's inside the files that Webalizer works with when executed?
Would dearly like to know how to suppress some of the report lines... if
anybody knows...
Regards
Tim Lawson
> Hello all,
>
> I have installed LogCheck-1.1.1 onto my Raq4r following every instruction
> from the useful guide I found at UK2Raq.
> Here is the guide I followed
> http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=45
>
> Everything seemed to work out perfectly with the install of LogCheck.
>
> Does anybody know how to read / determine if the emails sent by
> LogCheck are
> saying my Cobalt has been compromised or not?
> I get a lot of this in a typical report...
>
> ------------------------------------------------------------------
> ----------
>
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
> 130.228.165.in-addr.arpa) from [165.228.129.5].53
> May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
> 130.228.165.in-addr.arpa) from [165.228.129.5].53
> May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
> 129.228.165.in-addr.arpa) from [165.228.129.5].53
> May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
> 129.228.165.in-addr.arpa) from [165.228.129.5].53
>
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> May 30 04:02:54 www syslogd 1.3-3: restart.
> May 30 04:06:58 www named[394]: Lame server on 'ns.cqcqptt.net.cn' (in
> 'cqcqptt.net.cn'?): [61.128.128.68].53 'ns.cta.net.cn'
> May 30 04:07:10 www named[394]: Lame server on
> '39.195.98.202.in-addr.arpa'
> (in '195.98.202.in-addr.arpa'?): [202.98.192.68].53 'ns.gzgyptt.net.cn'
> May 30 04:07:13 www named[394]: Lame server on
> '156.74.142.61.in-addr.arpa'
> (in '142.61.in-addr.arpa'?): [202.96.134.133].53 'ns.szptt.net.cn'
> May 30 04:07:15 www named[394]: Lame server on
> '156.74.142.61.in-addr.arpa'
> (in '142.61.in-addr.arpa'?): [202.96.128.68].53 'dns.guangzhou.gd.cn'
> May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
> 130.228.165.in-addr.arpa) from [165.228.129.5].53
> May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
> 130.228.165.in-addr.arpa) from [165.228.129.5].53
> May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
> 129.228.165.in-addr.arpa) from [165.228.129.5].53
> May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
> 129.228.165.in-addr.arpa) from [165.228.129.5].53
> May 30 04:08:41 www named[394]: Lame server on
> '26.177.126.131.in-addr.arpa'
> (in '126.131.in-addr.arpa'?): [137.39.1.3].53 'NS.UU.NET'
> May 30 04:15:02 www proftpd[12390]: www.mydomain.com.au
> (localhost[127.0.0.1]) - FTP session opened.
> May 30 04:15:02 www proftpd[12390]: www.mydomain.com.au
> (localhost[127.0.0.1]) - FTP session closed.
> May 30 04:30:01 www proftpd[12977]: www.mydomain.com.au
> (localhost[127.0.0.1]) - FTP session opened.
> May 30 04:30:01 www proftpd[12977]: www.mydomain.com.au
> (localhost[127.0.0.1]) - FTP session closed.
> May 30 04:45:00 www proftpd[13562]: www.mydomain.com.au
> (localhost[127.0.0.1]) - FTP session opened.
> May 30 04:45:00 www proftpd[13562]: www.mydomain.com.au
> (localhost[127.0.0.1]) - FTP session closed.
> May 30 04:50:26 www named[394]: Cleaned cache of 17 RRsets
> May 30 04:50:26 www named[394]: USAGE 991162226 991144226 CPU=0.27u/0.09s
> CHILDCPU=0u/0s
> May 30 04:50:26 www named[394]: NSTATS 991162226 991144226 A=11 CNAME=1
> SOA=172 PTR=223 MX=3 ANY=15
> May 30 04:50:26 www named[394]: XSTATS 991162226 991144226 RR=496 RNXD=25
> RFwdR=250 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=7 ROpts=0 SSysQ=185
> SAns=362 SFwdQ=209 SDupQ=42 SErr=0 RQ=425 RIQ=0 RFwdQ=209 RDupQ=0 RTCP=0
> SFwdR=250 SFail=0 SFErr=0 SNaAns=205 SNXD=36 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0
> May 30 05:00:01 www proftpd[14153]: www.mydomain.com.au
> (localhost[127.0.0.1]) - FTP session opened.
> May 30 05:00:01 www proftpd[14153]: www.mydomain.com.au
> (localhost[127.0.0.1]) - FTP session closed.
> ------------------------------------------------------------------
> ----------
>
> None of the IP's listed in this report are mine and for obvious reasons I
> have removed my host and domain names.
>
> I have read through the archives for this list and believe the lines by
> proftpd ending in '- FTP session opened/closed.' are the active
> monitor, how
> do I learn to suppress these or any lines in the report...
>
> I just don't know how to read my hourly report...
>
> Any help?
> Thanks in advance...
>
>
>
>
> regards,
>
> Todd Kirk
>
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users