Results 1 to 8 of 8

Thread: Linux- Logging:How do I?

  1. #1

    Post Linux- Logging:How do I?

    Hello,
    I recently install Redhat 7.1, upgraded the kernel, and connected to the internet all with help from users on this forum. So I figured after looking at abunch of Howto's with no luck I should post something here.
    I want to be able to log all attemps to access my pc on a certain port. I would like to setup in /etc/syslog.conf to make it log any attempts on any common ports. Can anyone help me? I have looked at the man page of "syslog.conf" but it was no help.

    Any and all help is greatly appreciated.....

    -Thanks...
    Jason
    __________________________
    Caution: in case of rapture, this computer will be unoccupied!

  2. #2
    oblio
    Guest
    check out tcplogd.c on packetstorm

  3. #3
    Senior Member
    Join Date
    Jul 2001
    Posts
    138
    You should also check out Portsentry at psionic.com

    It will log all suspicious activity, as well as give you the option to automatically drop the attacking IP into the hosts.deny file (for tcpwrappers) and IPTables/IPChains whichever kernel you use. Check it out. It's an excellent product. Good luck.

    Happy Hacking
    -----------------------------------------------------
    Warfare is the Way of deception.
    -Sun Tzu \"The Art of War\"

  4. #4

    Thanks

    I'm checkign it out, I got the source for it, just need to go home and compile it.
    Is there any way to setup in /etc/syslog.conf to log any attempts on a certain port? I don't want it to log the service because I have it disabled, but I do want any attempts to see if what services I have running, wether it be nmap or whatever.


    Thanks,
    Jason
    __________________________
    Caution: in case of rapture, this computer will be unoccupied!

  5. #5
    Senior Member
    Join Date
    Jul 2001
    Posts
    138
    Portsentry logs the connection attempts to a special file called portsentry.history. This file is located in /usr/local/psionic/portsentry directory by default. Mandrake comes with it pre-installed and is located at /etc/portsentry directory, instead. You will need to bee root to access the default directory. I like the separate logging as it is easier to see exactly what you are looking for. Good luck.

    Happy Hacking
    -----------------------------------------------------
    Warfare is the Way of deception.
    -Sun Tzu \"The Art of War\"

  6. #6
    Junior Member
    Join Date
    Dec 2001
    Posts
    6
    Just to add to what gaxprels has to say, you can set portsentry to do several detection modes including my favorite `advanced stealth tcp scan' ( option -atcp). In addition it can make use of tcp wrappers and an ipchain or iptable rule, and will add the ip's of offending machines to /etc/hosts.deny.

    http://www.psionic.com makes another great and `free' product called logcheck. It scans logs for suspect activity and compiles a log that can be mailed to anyone you like ranking the activity from very suspicious to just something you should know. Truly fantastic logging.
    unNamed-Player

  7. #7
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    there is always snort. www.snort.org
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  8. #8

    Thanks

    I am out of town on Vacation right now, thanks for everyone's help. When I get back in town I will try all of your suggestions..

    Thanks,
    Jason
    __________________________
    Caution: in case of rapture, this computer will be unoccupied!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •