Scanning log files for intrusion attempts can help secure a system against attack --- but there is an awful lot to scan. There are many utilities which automatically scan log files and email reports to an administrator. We look at Log Watch, Log Check and Swatch.
A study of log files can lead an administrator to add rules to TCP Wrappers (or Xinetd) or a host's packet filter rules designed to block a rogue host. But such actions occur after the event leaving a significant time in which a system might be compromised. Utilities exist which monitor portscans and other signs of foul-play real-time, including logged events, and automatically block access to/from these hosts. We look at Portsentry, psad and IPTrap.
Portsentry is developed by Psionic and can be freely downloaded from their web site. The following paragraphs are from the Psionic web site:
PortSentry is a program designed to detect and respond to port scans against a target host in real-time. The 2.0 version of the software offers extensive stealth scan detection for most Unix platforms. The 1.1 version supports the "classic" PortSentry detection modes that are no longer available in the 2.0 version of the software.
Portsentry can be configured to work with TCP Wrappers (or xinetx) and most packet filters to automatically block hosts (see Configuration, below).
The portsentry configuration files can likely be found in /etc/portsentry. The daemon should be started each time the system is booted so a /etc/init.d/portsentry file should be created and links made to the pertinant /etc/rc?.d/.
With RedHat 7.1, the RPM installs a startup (init.d) script and suitable links, as above, but the daemon needs to manually started this first time:
/etc/init.d/portsentry start |
KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
This utility is similar to PortSentry: it automatically blocks offending IPs by adding a rule to ipchains/iptables.
Further details can be found from the web site, which describes IPTrap thus:
IPTrap listens to several TCP ports to simulate fake services (X11, Netbios, DNS, etc). When a remote client connects to one of these ports, his IP address gets immediately firewalled and an alert is logged. It runs with iptables and ipchains, but any external script can also be launched. IPv6 is supported.
This utility is analogous to LogCheck: psad looks at information in log files written by ipchains/iptables and from this determines if the system is under attack. Warnings can be emailed to the system administrator.
Further details can be found from the web site.
From the Web site: Logwatch is a customizable log analysis system. Logwatch parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. These are emailed to the system administrator. Logwatch is installed as standard as part of RedHat 7.2 where it lives in /etc/log.d.
LogSentry is developed by Psionic and can be freely downloaded from their web site. From there: LogSentry (formerly Logcheck) automatically monitors your system logs and mails security violations to you on a periodic basis. It is based on a program that ships with the TIS Gauntlet firewall but has been improved upon in many ways to make it work nicely for normal system auditing.
LogSentry helps in processing UNIX system logfiles generated by: Psionic's PortSentry and HostSentry; system daemons; Wietse Venema's TCP Wrapper and Log Daemon packages.
The latest version of LogSentry (version 1.1.1) is covered by the GNU license.
The LogCheck configuration files can likely be found in /etc/logcheck.
LogCheck should be run regularly, e.g, hourly. With RedHat 7.1, the RPM installs a cron script (into /etc/cron.hourly) so this is setup for you.
swatch is a utility which can be used to watch any log-file. swatch is started like this
swatch -c /home/simonh/swatch.rc.apache -t /var/log/httpd/access.log |
watchfor /<regexp>/ mail addresses=simonh@umist.ac.uk, subject=apache_attack_alert,when=7-1:1-24 |
For further details see the
...previous | up (conts) | next... |