linux-l: Re: monitoring tool fuer firewall
Robin S. Socha
robin at socha.net
So Sep 10 11:15:55 CEST 2000
* Tomasz Poslada <t.poslada at agentscape.de> writes:
> kann mir jemand ein Tool empfehlen womit man non stop Firewall
> (Kernel 2.2.x) überwachen kann kann?
Was genau meinst Du mit "Firewall (Kernel 2.2.x) überwachen"? Ich
verwende folgendes:
root at radioactive ~> ls /usr/local/src/IDS/
hostsentry-0.02 lids-0.9.7 logcheck-1.1.1 portsentry-1.0
,----[ HostSentry ]
| HostSentry is a host based intrusion detection tool that operates on
| the principle of Login Anomaly Detection (LAD), or what I sometimes
| call login cross-correlation.
`----
,----[ Linux Intrusion Detection System ]
| More about LIDS, go to http://www.lids.org for more details.
`----
,----[ logcheck ]
| Logcheck is software package that is designed to automatically run
| and check system log files for security violations and unusual
| activity. Logcheck utilizes a program called logtail that remembers
| the last position it read from in a log file and uses this position
| on subsequent runs to process new information. All source code is
| available for review and the implementation was kept simple to
| avoid problems. This package is a clone of the frequentcheck.sh
| script from the Trusted Information Systems Gauntlet(tm) firewall
| package. TIS has granted permission for me to clone this package.
`----
,----[ PortSentry - Port scan detection and active defense. ]
| PortSentry has a number of options to detect port scans, when it finds
| one it can react in the following ways:
|
| - A log indicating the incident is made via syslog()
| - The target host is automatically dropped into /etc/hosts.deny
| for TCP Wrappers
| - The local host is automatically re-configured to route all
| traffic to the target to a dead host to make the target system
| disappear.
| - The local host is automatically re-configured to drop all
| packets from the target via a local packet filter.
|
|
| The purpose of this is to give an admin a heads up that their host is
| being probed. There are similar programs that do this already (klaxon,
| etc.) I just add a little twist to the whole idea (auto-blocking), plus
| extensive support for stealth scan detection.
`----
> Logs per Hand checken ist ziemlich "unergonomisch" ;)
Es gibt eine ganze Reihe von tools, mit denen Du logs prüfen (lassen)
kannst. http://freshmeat.net/ ist Dein Freund.
--
Robin S. Socha <http://socha.net/>
Mehr Informationen über die Mailingliste linux-l