Re: Alert!!
From: Scot L. Harris (webid_at_cfl.rr.com)
Date: 09/16/04
- Previous message: Kent Nyberg: "Re: FC2 + newest openoffice = slower"
- In reply to: Ow Mun Heng: "Re: Alert!!"
- Next in thread: Alexander Dalloz: "Re: Alert!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: For users of Fedora Core releases <fedora-list@redhat.com> Date: Thu, 16 Sep 2004 17:00:13 -0400
On Wed, 2004-09-15 at 22:41, Ow Mun Heng wrote:
> On Thu, 2004-09-16 at 09:34, Dale Sykora wrote:
> > Do you know
> > of any SIPTO type program or script? SIPTO (which I just made up) means
> > Source IP Time Out (think child behavior deterant). It would watch the
> > logs for admin defined bad behavior from a connecting IP and then
> > temporarily ban that IP (time-out via iptables) for 15 minutes or so
> > after 3 occurances in a given time frame. For example, SME server adds
> > a denylog line to /var/log/messages when an external IP tries to connect
> > to a closed port. I would like something to watch this 'tail -f?' and
> > add an iptables rule to drop all connections from this IP address for a
> > short time frame (extendible if other attemps are made). I would like
> > this to be generic enough to shut down access to zombies that try and
> > send viruses thru my email server, or systems that think I run IIS and
> > look for cmd.com/etc... as well. Someone it the past mentioned an IDS,
> > but that seems CPU/network intensive. I simple want to watch the logs
> > and block the bad/zombie machines that tend to fill the logs.
>
> Wouldn't portsentry do that? Then again, portsentry would only determine
> if a port which is marked as "secure" shouldn't be touched by anyone
> except a allowed list, and will deny that IP dynamically.
>
> On the other hand, there's swatch which will watch the logs for you
> based on regex expressions and I guess you can write a script for it to
> parse when it detects malware
>
I think you want to look at snort for this kind of functionality.
-- Scot L. Harris webid@cfl.rr.com Type louder, please. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Kent Nyberg: "Re: FC2 + newest openoffice = slower"
- In reply to: Ow Mun Heng: "Re: Alert!!"
- Next in thread: Alexander Dalloz: "Re: Alert!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
