Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Jun 1998 19:05:44 +0200 (CEST)
From:      Andreas Klemm <andreas@klemm.gtn.com>
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Subject:   misc/7050: enhancements to daily security script needed to detect intruders
Message-ID:  <199806241705.TAA05810@klemm.gtn.com>
next in thread | raw e-mail | index | archive | help 

>Number:         7050
>Category:       misc
>Synopsis:       enhance daily security script
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 24 10:30:01 PDT 1998
>Last-Modified:
>Originator:     Andreas Klemm
>Organization:
Andreas Klemm
>Release:        FreeBSD 3.0-CURRENT i386
>Environment:

	FreeBSD -current and -stable

>Description:

	Our current daily security script doesn't notify about
	- repeated unsuccessful login attempts and
	- warning output of tcp_wrappers

>How-To-Repeat:

Things we should report are:

"refused connect from" by tcp_wrapper
and                                  
"LOGIN FAILURES FROM" by login       

See here:
Jun 22 05:17:43 titan telnetd[10520]: refused connect from 195.90.203.76
Jun 22 05:18:05 titan telnetd[10523]: refused connect from 195.90.203.76
Jun 22 05:20:22 titan telnetd[10951]: refused connect from 195.90.203.76
Jun 22 05:20:37 titan telnetd[10953]: refused connect from 195.90.203.76
Jun 22 05:21:04 titan telnetd[10955]: refused connect from 195.90.203.76
Jun 22 05:22:30 titan login: 2 LOGIN FAILURES FROM freefall.FreeBSD.ORG 
Jun 22 05:22:30 titan login: 2 LOGIN FAILURES FROM freefall.FreeBSD.ORG,
andreas                                                                 
Jun 22 05:23:39 titan login: 2 LOGIN FAILURES FROM freefall.FreeBSD.ORG 
Jun 22 05:23:39 titan login: 2 LOGIN FAILURES FROM freefall.FreeBSD.ORG, root
Jun 22 05:24:03 titan login: 1 LOGIN FAILURE FROM freefall.FreeBSD.ORG       
Jun 22 05:24:03 titan login: 1 LOGIN FAILURE FROM freefall.FreeBSD.ORG, ddd  

>Fix:

	diff <old_messages_file> <new_messages_file> | grep -i "login failure"
	diff <old_messages_file> <new_messages_file> | grep -i "refused connect"

>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806241705.TAA05810>