Subject: Re: Security centre
To: Jan Danielsson <jan.danielsson@gmail.com>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-security
Date: 02/05/2006 14:11:20
In message <43E64B28.2030002@gmail.com>, Jan Danielsson writes:
>
> I have set my NetBSD server to log all traffic (via pf and tcpdump),
>and I have written an apache2 mod_python interface for reviewing the
>logs. Pretty soon, I realized that there are quite a few people(?) who
>are trying to get in on port 22. I cross checked with /var/log/authlog,
>and sure enough.. All the ``users=B4=B4 "user", "user1", "student",
>"oracle", etc have tried to gain access.
>
> In my web app, I have a reporting system. I can list all inbound port
>22 connections, click on a host, and it creates a report containing all
>the relevant connections. It performs a "whois" lookup to find the
>appropriate abuse-address, etc.. Now, I would also like to include the
>relevant /var/log/authlog entries in case the port in question was port 2=
>2.
>
> However, /var/log/authlog is getting rotated, but I can't figure
>where/how often, etc. If I would perform a query at a "bad time", I
>assume the log entry could have been archived. So I would like to find a
>more fail safe way to catch the "bad logins".
It's rotated via newsyslog; see /etc/newsyslog.conf.
>
> Reviewing "man syslog.conf", I realized that there's something called
>"filters". I wonder: Could I send log entries destined for authlog to a
>script of my own, where I check for sshd and an address, and store such
>entries in my postgres database?
>
> Is there any other relevant data which I could include in my abuse
>report generation?
>
Let me ask a larger question: what are you going to do with the answers?
Profitably reporting an attacking machine has become quite hard.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb