From owner-freebsd-bugs  Wed Jun 24 10:31:03 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA16563
          for freebsd-bugs-outgoing; Wed, 24 Jun 1998 10:31:03 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA16430
          for <freebsd-bugs@FreeBSD.org>; Wed, 24 Jun 1998 10:30:19 -0700 (PDT)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id KAA17605;
	Wed, 24 Jun 1998 10:30:01 -0700 (PDT)
Received: from news1.gtn.com (news1.gtn.com [194.77.0.15])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA15122
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Jun 1998 10:23:50 -0700 (PDT)
          (envelope-from andreas@klemm.gtn.com)
Received: (from uucp@localhost)
	by news1.gtn.com (8.8.6/8.8.6) with UUCP id TAA01424
	for FreeBSD-gnats-submit@freebsd.org; Wed, 24 Jun 1998 19:15:30 +0200 (MET DST)
Received: (from andreas@localhost)
	by klemm.gtn.com (8.8.8/8.8.8) id TAA05810;
	Wed, 24 Jun 1998 19:05:44 +0200 (CEST)
	(envelope-from andreas)
Message-Id: <199806241705.TAA05810@klemm.gtn.com>
Date: Wed, 24 Jun 1998 19:05:44 +0200 (CEST)
From: Andreas Klemm <andreas@klemm.gtn.com>
Reply-To: andreas@klemm.gtn.com
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: misc/7050: enhancements to daily security script needed to detect intruders
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         7050
>Category:       misc
>Synopsis:       enhance daily security script
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 24 10:30:01 PDT 1998
>Last-Modified:
>Originator:     Andreas Klemm
>Organization:
Andreas Klemm
>Release:        FreeBSD 3.0-CURRENT i386
>Environment:

	FreeBSD -current and -stable

>Description:

	Our current daily security script doesn't notify about
	- repeated unsuccessful login attempts and
	- warning output of tcp_wrappers

>How-To-Repeat:

Things we should report are:

"refused connect from" by tcp_wrapper
and                                  
"LOGIN FAILURES FROM" by login       

See here:
Jun 22 05:17:43 titan telnetd[10520]: refused connect from 195.90.203.76
Jun 22 05:18:05 titan telnetd[10523]: refused connect from 195.90.203.76
Jun 22 05:20:22 titan telnetd[10951]: refused connect from 195.90.203.76
Jun 22 05:20:37 titan telnetd[10953]: refused connect from 195.90.203.76
Jun 22 05:21:04 titan telnetd[10955]: refused connect from 195.90.203.76
Jun 22 05:22:30 titan login: 2 LOGIN FAILURES FROM freefall.FreeBSD.ORG 
Jun 22 05:22:30 titan login: 2 LOGIN FAILURES FROM freefall.FreeBSD.ORG,
andreas                                                                 
Jun 22 05:23:39 titan login: 2 LOGIN FAILURES FROM freefall.FreeBSD.ORG 
Jun 22 05:23:39 titan login: 2 LOGIN FAILURES FROM freefall.FreeBSD.ORG, root
Jun 22 05:24:03 titan login: 1 LOGIN FAILURE FROM freefall.FreeBSD.ORG       
Jun 22 05:24:03 titan login: 1 LOGIN FAILURE FROM freefall.FreeBSD.ORG, ddd  

>Fix:

	diff <old_messages_file> <new_messages_file> | grep -i "login failure"
	diff <old_messages_file> <new_messages_file> | grep -i "refused connect"

>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message