Results 1 to 3 of 3

Thread: What logs to watch where to find hacks or scans!

  1. #1

    Question What logs to watch where to find hacks or scans!

    In keeping with trying to stimulate some good topics and hopefully help myself learn here is yet another query.

    I have been working harder to understand the areas of exactly what are the most common hacker search tools and what is up with all the port scanning. As we all know many got hit by that Nimda virus one week ago today. I was really trying to watch over my network administrators back to learn how to prevent. With some knowledge I knew that the best way was to close down or deny any suspecious requests. I asked around and for a linux box I was told to look at the log files.

    What I would like in response is any information with a detailed ordered list of what someone should do in these cases. Not just on linux but winnt, freebsd, whatever. I am sure there are many regulars on here who would really like to know where to get started from finding the intruding ip to tracing it and denying it.

  2. #2

    Re: What logs to watch where to find hacks or scans!

    Originally posted by FlashOveride
    In keeping with trying to stimulate some good topics and hopefully help myself learn here is yet another query.

    I have been working harder to understand the areas of exactly what are the most common hacker search tools and what is up with all the port scanning. As we all know many got hit by that Nimda virus one week ago today. I was really trying to watch over my network administrators back to learn how to prevent. With some knowledge I knew that the best way was to close down or deny any suspecious requests. I asked around and for a linux box I was told to look at the log files.

    What I would like in response is any information with a detailed ordered list of what someone should do in these cases. Not just on linux but winnt, freebsd, whatever. I am sure there are many regulars on here who would really like to know where to get started from finding the intruding ip to tracing it and denying it.
    On my openBSD box, /var/log/ipflog, and my snort log.

    Should vary for other OSes.

    Jean-Francois

  3. #3
    Member
    Join Date
    Sep 2001
    Posts
    77
    A lot will depend on the hardware and software you are running and your network design, though tools suchs as network sniffers and network intrusion detections systems are a must if your net is attached to THE NET.

    I find snort picks up the majority of attacks that make it past the firewall, depending on the attack and what equipment you are using, you can build scripts to have the firewall lock out the scans, or have it tell the webserver drop or redirect the packets.

    Again, your firewall should stop most attacks, your network intrusion system should identify any attacks that make it by the firewall, and your system logs should tell you what happened on each host as a result of the scan/attack. Logs from all 3 will help you identify the attacker and start the trace procedure.

    In the event a system is compromised, and you are considering legal action, isolate the compromised system and make static copies of your logs. Most authorities will look at this as evidence and will require you to let them take it with them for review( its good idea to keep a seperate offline backup system to put in place to replace the one the authorities take ).

    cheers
    I\'m not a BOT I\'m a beer droid!
    Prepare to be Assimilated.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •