linux-l: Re: monitoring tool fuer firewall

Robin S. Socha robin at socha.net
So Sep 10 11:15:55 CEST 2000 

* Tomasz Poslada <t.poslada at agentscape.de> writes:

> kann mir jemand ein Tool empfehlen womit man non stop Firewall
> (Kernel 2.2.x) überwachen kann kann? 

Was genau meinst Du mit "Firewall (Kernel 2.2.x) überwachen"? Ich
verwende folgendes:

root at radioactive ~> ls /usr/local/src/IDS/
hostsentry-0.02  lids-0.9.7  logcheck-1.1.1  portsentry-1.0

,----[ HostSentry ]
| HostSentry is a host based intrusion detection tool that operates on
| the principle of Login Anomaly Detection (LAD), or what I sometimes
| call login cross-correlation.
`----

,----[ Linux Intrusion Detection System ]
| More about LIDS, go to http://www.lids.org for more details.
`----

,----[ logcheck ]
| Logcheck is software package that is designed to automatically run
| and check system log files for security violations and unusual
| activity. Logcheck utilizes a program called logtail that remembers
| the last position it read from in a log file and uses this position
| on subsequent runs to process new information. All source code is
| available for review and the implementation was kept simple to
| avoid problems. This package is a clone of the frequentcheck.sh
| script from the Trusted Information Systems Gauntlet(tm) firewall
| package. TIS has granted permission for me to clone this package.
`----

,----[ PortSentry - Port scan detection and active defense. ]
| PortSentry has a number of options to detect port scans, when it finds
| one it can react in the following ways:
| 
|         - A log indicating the incident is made via syslog()
|         - The target host is automatically dropped into /etc/hosts.deny
|           for TCP Wrappers
|         - The local host is automatically re-configured to route all
|           traffic to the target to a dead host to make the target system
|           disappear.
|         - The local host is automatically re-configured to drop all
|           packets from the target via a local packet filter.
| 
| 
| The purpose of this is to give an admin a heads up that their host is
| being probed. There are similar programs that do this already (klaxon,
| etc.) I just add a little twist to the whole idea (auto-blocking), plus
| extensive support for stealth scan detection.
`----

> Logs per Hand checken ist ziemlich "unergonomisch" ;)

Es gibt eine ganze Reihe von tools, mit denen Du logs prüfen (lassen)
kannst. http://freshmeat.net/ ist Dein Freund.
-- 
Robin S. Socha <http://socha.net/>

Mehr Informationen über die Mailingliste linux-l