[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?

To: Gerardo Soto Casados <gsoto@compu-redes.net.mx>, ids@uow.edu.au
Subject: Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?
From: Alexander Bochmann <bochmann@mupfel.infra.de>
Date: Sat, 22 May 1999 16:01:30 +0200
In-Reply-To: <3744A301.C241616E@compu-redes.net.mx>; from Gerardo Soto Casados on Thu, May 20, 1999 at 07:04:17PM -0500
References: <3744A301.C241616E@compu-redes.net.mx>
Sender: owner-ids@uow.edu.au

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

Hi,

...on Thu, May 20, 1999 at 07:04:17PM -0500, Gerardo Soto Casados wrote:

 >   Is there a way to really find out where the attack is coming from ?
 > I have a redhat linux box  5.0 version with a 2511 cisco router. I set
 > up a firewall but This guy still managed to break in, and as you all can
 > imagine , he erased all my logs .

Well, there are some standard things to do in such a case - a good place 
to start are probably the CERT tech tips at http://www.cert.org/tech_tips/

Have you already disabled all network serivces on that machine you don't 
really need? I have seen some hacked RedHat boxes out there, mostly because 
they ran an old version of the WU imap daemon, which has well published 
security holes... When you are already looking at the inetd.conf, look 
for entries that shouldn't be there...

Run a portscan against your machine to see whether the attacker has 
established some backdoor service on an arbitrary port that allows him 
to login, circumventing access controls. 

You could send the syslog stuff to another host, but then this may direct 
the attacker to that machine - you probably don't want that right now...

If you have another machine, disable all network services on it, except 
perhaps a ssh daemon to login (you can even spare that if you can login 
from the console). Disable all services in the inetd.conf and scan your 
startup scripts to disable everything else you don't need. For a start 
you can probably just use tcpdump to capture the traffic on your network, 
but if you want to monitor your net for a longer time, this is probably a 
bit straining. For a quick overview about what's going on you can use a 
tool like iptraf (if there is no RPM for it, you should be able to find it 
at ftp://ftp.cebu.mozcom.com/pub/linux/net/iptraf-1.3.0.tar.gz).
If you want to capture data about IP traffic on your network and get some 
easly readable output about actual or historical data, try to use something 
like argus (ftp://ftp.sei.cmu.edu/pub/argus).

Alex.
-- 
AB54-RIPE * http://users.infra.de/~bochmann/

References:
- IDS: how do you configure your firewall ( router ) to log to a different machine ?
  - From: Gerardo Soto Casados <gsoto@compu-redes.net.mx>
- IDS: how do you configure your firewall ( router ) to log to a different machine ?
  - From: Gerardo Soto Casados <gsoto@compu-redes.net.mx>

Prev by Date: Re: IDS: building an IDS
Next by Date: Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?
Prev by thread: Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?
Next by thread: Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?
Index(es):
- Date
- Thread