Snort (http://www.snort.org) is a good IDS system to use.  It will log to a
database also, and you can report on the data using ACID
(http://acidlab.sourceforge.net).  Apparently the latest version will
support more than just MySQL, I'll probably be installing it today sometime.
MySQL sucks on large databases (at least it did for me), and I'd like to
switch to something else.  More attack sigs are available for snort at
http://www.whitehats.com/ids

Jay

> -----Original Message-----
> From: joel at luths.net [mailto:joel at luths.net]
> Sent: Wednesday, June 06, 2001 12:21 PM
> To: tclug-list at mn-linux.org
> Subject: RE: [TCLUG] Security
> 
> 
> Hm, 20/day is about what I get I think. I'm collecting stats, 
> just haven't done 
> much processing of them. Anyone logging ipchains DENYs for 
> this (like me) might 
> want to check out packet2sql 
> (http://sourceforge.net/projects/packet2sql/). 
> Pulls the ipchains lines out of log files and puts them in a 
> SQL db. Should 
> make analysis much easier, if I ever get around to it.
> 
> Quoting "Austad, Jay" <austad at marketwatch.com>:
> 
> > I get scanned quite a bit on my DSL also, probably about 20 
> times a day.
> > That's nothing compared to one of my networks, over 6000 
> portscans a day
> > (some are dummy scans of course, but it's still alot).  Fun.
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: joel at luths.net [mailto:joel at luths.net]
> > > Sent: Wednesday, June 06, 2001 10:50 AM
> > > To: tclug-list at mn-linux.org
> > > Subject: Re: [TCLUG] Security
> > > 
> > > 
> > > I'm running DSL and I get *lots* of scans.
> > > 
> > > Quoting Brian <lxy at cloudnet.com>:
> > > 
> > > > On Tue, 5 Jun 2001, Dave Sherohman wrote:
> > > > 
> > > > > 
> > > > > Nah.  They're talking to portmap, not telnetd.  Those 
> requests are
> > > > asking
> > > > > about available RPC services, most likely in hopes of 
> finding a
> > > > vulnerable
> > > > > NIS or NFS installation.
> > > > 
> > > > Ok, I've heard of exploits on RPC, now I'm curious.  What's 
> > > using RPC? 
> > > > Is
> > > > it just NIS and NFS?  I've heard of tons of RPC ports 
> > > strewn about that
> > > > can be exploited, it's the only remaining port that I'm 
> > > worried about on
> > > > my system.
> > > > 
> > > > back to the original question on security, port scans 
> are part of
> > > > life.  Kiddies all over the internet like to run their 
> port scanners
> > > > because they're HACKERS and they're unstoppable!  just 
> like in the
> > > > movie!  *rolls eyes*  Just make sure you aren't running anything
> > > > unnecessary, like xfs, nis, nfs, etc.  Out of curiosity, 
> > > are you on a
> > > > cable modem?  I've noticed that when I was on DSL no one 
> > > even looked at
> > > > my
> > > > box but on cable in the last week I've collected large 
> amounts of IP
> > > > addresses probing away at my firewall.  They've mainly been 
> > > targeting
> > > > FTP,
> > > > which is odd, since I hadn't had ftpd up and running at 
> that point. 
> > > > Real
> > > > bright ones, they are! :-)
> > > > 
> > > > tcp wrappers do a pretty good job, an ALL:ALL in 
> hosts.deny lets me
> > > > sleep
> > > > at night anyway.  I also have a policy of denying ICMP 
> > > requests on my
> > > > outside interface just to thwart the really stupid 
> kiddies.  Between
> > > > these
> > > > two I feel relatively secure.  Then just check your startup 
> > > script to
> > > > make
> > > > sure you aren't running anything you don't need to be.
> > > > 
> > > > -Brian
> > > > 
> > > > _______________________________________________
> > > > tclug-list mailing list
> > > > tclug-list at mn-linux.org
> > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > 
> > > > 
> > > _______________________________________________
> > > tclug-list mailing list
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > 
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > 
> > 
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>