February 8th, 2003 04:04 AM
How do you guys find the exact info:
I would like to know or if someone could show me how you guys find all the info people request : for instance i wanna know: im trying to setup a firewall machine on my 7.0 nix box...i got the basics about iptables which im using but wanna know HOW to LOG port scans using them??. And information on what services are safe to run on a firewall machine like keylogger, nfs <---- i would like to know what these things do?( NFS is just an example i think i know what it is
Soo i go to www.google.com and i use "coppernic":
port scan logging +iptables
keylogger +linux startup <----(keylogger) what it does and if i need it stuff like that
But i dont get the results very clearly like how you guys sometimes post. Was wandering if any one can help me on this.I know most of you just got the knowledge but always have a LINK too thats pretty clear . Any help on how to search better for these kinds of things: and what would u do if you needed to find info on this stuff.(any examples PEOPLE want to share like tips what they do to find the info)
February 8th, 2003 04:19 AM
I've never used IP tables, but i'm going under the assumption that it's like ipchains and ipfwadm which means it's firewalling software, not logging software. I'd suggest looking into an actual IDS such as snort or even packet capturing software.. either in it's basic form like ippl or in it's advanced form like tcpdump. or psad - Port Scan Attack Detector
try - SNORT +"port scan" +logging
as far as the second part.. i'm not entirely sure what you are trying to figure out. Basic rule is kill services you don't need.. leave what you do need. Following that try a search like
Linux +boot +daemons
or Linux +boot +services
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
February 8th, 2003 08:17 AM
As time goes by and you look in general for security related issues, you come across many sites, which at that time you may not need. So you bookmark them and look back at them at a later time. If your bookmarks are organized into categories (for example my bookmarks are categorized into OS - security/drivers/servers/clients/general software etc etc...). So after some time, if i need info on iptables, i go back to my bookmarks and lookup the sites marked as "iptable tutorials" or "iptables extras" etc... Also the man pages and a few books help alot. Google is one of the my biggest sources. Now since over here most of us have a rather nice collection of information and sites, we share what we have, so that helps us increase our information source. When i fist came here to AO, i already had a rather large bookmarks collection, and in the short time im here it has increased alot (thanx to all AOers). Every link that is posted here on AO may come in handy again and again at a later time. Also alot of us here have learned these many things either its in school, college, work, special training, friends, etc.... That also increases the source of information. You will sometimes see people start a thread which only has links on them. Also when you goto a website, there usually is a section called links on there, so just follow the links to other sites. This can take time, but it helps.
For your specific iptables problem with the logging, you will find alot of info if you just search for the keywords "advanced iptables tutorials + howtos". After using these keywords, i have come up with the following results:
$IPTABLES -A INPUT -j LOG
$IPTABLES -A OUTPUT -j LOG
$IPTABLES -A FORWARD -j LOG
Now with this information i am able todo a more advanced search in google for example or other iptables tutorials, using the keywords "iptables -a input -j LOG" or "iptables -j log" etc...
which will give me the results of many examples. For the portscanning, for example, i use a seperate programm called scanlogd. I have a script that reads my /var/log/messages and greps certain keywords concerning the scanlogd, which is then added to my iptables rules file. Depending on that, my firewall for example drops packets comming from that source. The other solution is, /var/log/messages actually shows everything being accepted or dropped by the iptables. You could just make a script that greps out everything related to the iptables and stdout into a file, like for example tail -f /var/log/messages | grep IPTABLES >> /home/userme/mylogs . Thats just one example, there are many.
The other solution would be that you actually learn the entire iptables with all its features, which WILL also tell you howto do those things.
I hope this helps you understand how some of us get the information, how to help you solve your logging problems, and your portscan logging. There are many other ways of doing all this. Remember though, that only a firewall is not enough protection.....you will need a few others utils to secure yourself, like IDS, secheck scripts, strong passwords etc....
Good luck, Cheers.
Also there are some awesome iptables tutorials on AO. Look for them too
Ubuntu-: Means in African : "Im too dumb to use Slackware"