From owner-freebsd-security  Thu Apr 20 16: 3:34 2000
Delivered-To: freebsd-security@freebsd.org
Received: from hayseed.net (hayseed.net [207.181.249.194])
	by hub.freebsd.org (Postfix) with ESMTP id 365EA37B6BD
	for <freebsd-security@freebsd.org>; Thu, 20 Apr 2000 16:03:31 -0700 (PDT)
	(envelope-from enkhyl@pobox.com)
Received: from localhost (localhost [127.0.0.1])
	by hayseed.net (8.9.3/8.9.3) with ESMTP id OAA04664;
	Thu, 20 Apr 2000 14:58:53 -0700
Date: Thu, 20 Apr 2000 14:58:53 -0700 (PDT)
From: Christopher Nielsen <enkhyl@pobox.com>
X-Sender: enkhyl@hayseed.net
To: Randy Bush <randy@psg.com>
Cc: freebsd-security@freebsd.org
Subject: Re: log-in-vain [ was: 10 days ]
In-Reply-To: <E12iOat-000C0e-00@rip.psg.com>
Message-ID: <Pine.LNX.4.21.0004201434500.23037-100000@hayseed.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 20 Apr 2000, Randy Bush wrote:

> > Something you might want to do, if you haven't already, is enable
> > log_in_vain in /etc/rc.conf by adding 'log_in_vain="YES"'. It will log
> > connection attempts on ports that have nothing listening on them. It can
> > be very enlightening.
> 
> but what does one *do* with the info?  there is so much scanning and so many
> baby cracker attempts that it does little good writing to source address
> admins.  and the sources are spoofed in the majority of the cases anyway.
> 
> while i think log watching is important, it can be massive data.  so i try
> to keep it down to those data about which i can do something, either by
> changing my defenses or by dealing with the source of the problem.

You make very good points, Randy, and they are the same points applied to
IDS. If you can figure out an answer, you'll likely be a rich man. Many
people have already tried. Part of the problem is that IDS is still a
young science.

What you gain by copious amounts of logging is obviously more work, but
you sometimes discover new attacks that you normally wouldn't find. From
an academic perspective, that is important, but from the practical
perspective of a network admin, the increase in work load is bothersome.

Personally, I read my logs religiously, but I have a suite of homegrown
scripts that distill it into a form I find more useful.

The comments about using ipfw might be more applicable for others.

-- 
Christopher Nielsen
(enkhyl|cnielsen)@pobox.com
Enkhyl on IRC




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message