Re: Logauswertung (translation)
Hi Andreas, hello [EMAIL PROTECTED], I'm at a company and would like to set up a Debian router/firewall. yeah, that's what I'am also planning at the moment. A firewall issue won't be my problem but I didn't install debian for seven years as I updated the distribution from the net. Hope the netinstaller works in the company in the case I get a job. Debian is minimally installed and I've chosed Shorewall as the firewall. Did you read the tutorial from oscar andreason ? I would additionally like to send the logs over Syslog-ng to a log server. I stronly recommend not to do this. We had a ccc (chaos computer club) meeting while someone brought the logfile from his mailserver to meetings. By seeing the logfile without error messages it was quite easy to have a look at the employees and and their key qualification. By seeing logfiles unencrypted it's possible to have a look what's running on your server so I strongly recommend not to do this. Use logcheck local on your server and login over ssh which is quite secure. (There was just one vulnerability in the past years). I use a simple perl script fwlog to check the logfiles. My problem is what tool do I use to evaluate the logs for attacks and to for mail notifications? Don't forget to install aide, prelude and snort or nagios in the case it's a productive server system. (Nagios - There was a bug in nagios but you can update yes monitory tools which are not the best decisision but there's no workaround for this available). As a workaround you should use an crypted logfile transfer to your client. (Maybe something like netcat). You have to code a little bit around don't know if you have time in your company. AFAIK there no crypting tools available to handle logfile reading from server to the client. Found an Open Source Project to overcome this. Hope it helps I wouldn't do what your tryhing to do for security reasons. -- Best Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Logauswertung (translation)
I would additionally like to send the logs over Syslog-ng to a log server. I stronly recommend not to do this. We had a ccc (chaos computer club) meeting while someone brought the logfile from his mailserver to meetings. By seeing the logfile without error messages it was quite easy to have a look at the employees and and their key qualification. By seeing logfiles unencrypted it's possible to have a look what's running on your server so I strongly recommend not to do this. Use logcheck local on your server and login over ssh which is quite secure. (There was just one vulnerability in the past years). I use a simple perl script fwlog to check the logfiles. I agree with you on the logtransfer issue, but disagree with you on the don't-use-a-central-logserver ;) At this moment we are using a logserver in-house, so that's not encrypted, and we are using it on some places where we send the logs outbound. There are several ways to do this, and I'm using a OpenVPN-tunnel to send it. But I'm sure it is possible to send the logs encrypted someway (stunnel maybe?) if you are not able to use a VPN-tunnel. With regards Ronald -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Logauswertung (en translation)
My problem is what tool to use to evaluate the logs for attacks (e.g. portscans) and notify me by mail? I know you probably wouldn't want to hear the question, but I'll put it to you: What for? snip Its much better to monitor a counter in order to detect DOS attacks or configuration errors and if there's concern about intrusion set up a couple rules to trigger the alarm when its counter is activated (outgoing connections, connection search for domain controllers...) What counter would you use? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Logauswertung
Hi, I use fwlogwatch. Greetings, Holger Am Sonntag, 23. April 2006 21:15 schrieb Bernd Eckenfels: Andreas [EMAIL PROTECTED] wrote: Mein Problem mit welchem Tool werte ich die Logs auf Angriffe aus (z. b. Portscans) und maile Sie mir zu. Ich weiss, die Frage wolltest du nicht hören, aber ich stelle sie doch mal: wozu? Ich wuerde die Logs zu Archivzwecken vorhalten. Einzelne geblockte Angriffe oder Portscans passieren so oft... Viel besser ist es counter zu monitoren um DOS Angriffe oder Fehlkonfiguration zu erkennen und wenn man Angst vor Intrusion hat intern ein paar Regeln aufzusetzen die Alarme ausloesen wenn deren Counter anspringen (ausgeende Verbindungen, Connection Versuche zu Domain Controllern...) Gruss Bernd pgpNVURekQMkr.pgp Description: PGP signature
Re: Logauswertung (en translation)
My problem is what tool to use to evaluate the logs for attacks (e.g. portscans) and notify me by mail? I know you probably wouldn't want to hear the question, but I'll put it to you: What for? I would utilize the logs for the goal of archival. Particular blocked attacks or portscans occur so often... Its much better to monitor a counter in order to detect DOS attacks or configuration errors and if there's concern about intrusion set up a couple rules to trigger the alarm when its counter is activated (outgoing connections, connection search for domain controllers...) Mein Problem mit welchem Tool werte ich die Logs auf Angriffe aus (z. b. Portscans) und maile Sie mir zu. Ich weiss, die Frage wolltest du nicht hören, aber ich stelle sie doch mal: wozu? Ich wuerde die Logs zu Archivzwecken vorhalten. Einzelne geblockte Angriffe oder Portscans passieren so oft... Viel besser ist es counter zu monitoren um DOS Angriffe oder Fehlkonfiguration zu erkennen und wenn man Angst vor Intrusion hat intern ein paar Regeln aufzusetzen die Alarme ausloesen wenn deren Counter anspringen (ausgeende Verbindungen, Connection Versuche zu Domain Controllern...) Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Logauswertung
Hallo, möchte in einer Firma einen Debian-Router mit Firewall aufbauen. Debian wird minimal installiert und als Firewall habe ich Shorewall gewählt. Meine Logs möchte ich über Syslog-ng zusätzlich an einen Logserver schicken. Mein Problem mit welchem Tool werte ich die Logs auf Angriffe aus (z. b. Portscans) und maile Sie mir zu. Grüsse Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Logauswertung (translation)
Hello, I'm at a company and would like to set up a Debian router/firewall. Debian is minimally installed and I've chosed Shorewall as the firewall. I would additionally like to send the logs over Syslog-ng to a log server. My problem is what tool do I use to evaluate the logs for attacks and to for mail notifications? Hallo, möchte in einer Firma einen Debian-Router mit Firewall aufbauen. Debian wird minimal installiert und als Firewall habe ich Shorewall gewählt. Meine Logs möchte ich über Syslog-ng zusätzlich an einen Logserver schicken. Mein Problem mit welchem Tool werte ich die Logs auf Angriffe aus (z. b. Portscans) und maile Sie mir zu. Grüsse Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- .. Synthetic a-priori judgements should not be patentable .. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Logauswertung
Andreas [EMAIL PROTECTED] wrote: Mein Problem mit welchem Tool werte ich die Logs auf Angriffe aus (z. b. Portscans) und maile Sie mir zu. Ich weiss, die Frage wolltest du nicht hören, aber ich stelle sie doch mal: wozu? Ich wuerde die Logs zu Archivzwecken vorhalten. Einzelne geblockte Angriffe oder Portscans passieren so oft... Viel besser ist es counter zu monitoren um DOS Angriffe oder Fehlkonfiguration zu erkennen und wenn man Angst vor Intrusion hat intern ein paar Regeln aufzusetzen die Alarme ausloesen wenn deren Counter anspringen (ausgeende Verbindungen, Connection Versuche zu Domain Controllern...) Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]