From owner-freebsd-questions Thu Nov 9 11:34:19 2000 Delivered-To: freebsd-questions@freebsd.org Received: from shf102107.hi.pac.army.mil (shf102107.hi.pac.army.mil [141.190.102.107]) by hub.freebsd.org (Postfix) with ESMTP id 70BC937B479 for ; Thu, 9 Nov 2000 11:34:17 -0800 (PST) Received: from localhost (localhost [[UNIX: localhost]]) by shf102107.hi.pac.army.mil (8.10.1/8.10.1) id eA9JWlC10262; Thu, 9 Nov 2000 09:32:47 -1000 From: Gary Dunn Reply-To: gdunn@mac.com Organization: Open Slate Project To: Phil C , freebsd-questions@FreeBSD.ORG Subject: Re: ipfw/database/logging development Date: Thu, 9 Nov 2000 09:04:26 -1000 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain References: <20001109000826.B13677@planw-22-181.pompano.net> In-Reply-To: <20001109000826.B13677@planw-22-181.pompano.net> MIME-Version: 1.0 Message-Id: <00110909324700.10098@shf102107.hi.pac.army.mil> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 08 Nov 2000, Phil C wrote: > I have been pondering over the past few days, if would be more sensable > to develop something one way or the other... Anyone interested in commenting > please do.... > > I wanted to initially write a perl script to monitor /var/log/security for > user defined ongoing's of ipfw. I was then going to use this data in a > database, which would expire entries after a defined amount of time. The > database (using MLDBM), could keep track of each ip which, for example was > blocked, the port(s) they tried to connect from/to and when... Monitoring scans, > both immediate and those gradually building over time would be simplified > greatly... (on a cable network I find myself under a regular barrage of > various intrusion attempts etc ranging from doze based attempts, like sub7 > scans to scans of ftp ssh portmap etc... ...) [snip] I can't address your technical questions other than to say that whenever someone scans my FreeBSD boxes -- even my two year old 3.0 box -- some sort of detection mechanism (tcpwrappers?) spews out stuff on the console log window, which is great. I suppose there are more subtle forms of probes that don't trigger these alarms, and that those are what you want to detect. What concerns me is that in the past year there has been a huge increase in the number of households using cable modems (aka RoardRunner). Even small businesses and schools. Few of these people have a clue about network security. Some install a "firewall" application, but I am skeptical about the effectiveness of such programs. As far as I know, cable modem service providers offer no security, not even simple IP address blocking at the router. Are we all being placed at greater risk because of inadequate security measures involving cable modems? Or is the threat a mirage? -- == Gary Dunn == Honolulu == Open Slate Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message