|
-
February 21st, 2003, 07:29 PM
#1
 Emergency notification.
Let us presume you (the admin) is not behind his desk, and your firewall is under attack, how would you find out if your not there? I would like to present 2 solutions that might help notice an attack or any nergative remarks within your logfiles.
The first possibility is to have your firewall email you the logs with the critical information.
The easiest way is to write a small shell script that reads (grep) your /var/log/messages and looks for lines which include terms such as deny, drop, etc... You can use cron jobs to grep the var/log/messages regularly, which incase of a match will email you the log at once. This is only advisable if the attacker does not have a chance to capture that packet (the email), or if he manages to delete his tracks before. The example i am about to show you below is my actual setup for that script.
#!/bin/sh
#
# /usr/local/bin/alarm
#
TIMESTAMP='date +"%C%y%m%d%H%M"'
if grep DENY /var/log/messages;
then
grep DENY /var/log/messages | mail -s attackalarm [email protected]
cp /var/log/messages /var/log/messages.$TIMESTAMP > /var/log/messages
fi
#EOF
This script can be configured by crons to run every minute. The attacker then only has one minute between his first contact with the blocked port and the moment the alarm email is sent. The negative side with this email solution is, that the email actually has to be read.
Another solution is with the help of an application called yaps (yet another pager software). This aplication will send you an SMS to your mobile phone or pager. After you have installed and configured yaps (see http://mitglied.lycos.de/HMGerhards/linux/en/how01.html for how todo this) create a little script so that "grep" will notify you that way. Example.
#!/bin/sh
#
# /usr/local/bin/alarm
#
TIMESTAMP='date +"%C%y%m%d%H%M"'
if grep DENY /var/log/messages;
then
yaps 0933243455 attackalarm
cp /var/log/messages /var/log/messages.$TIMESTAMP > /var/log/messages
fi
#EOF
This will send you an sms with the logfiles in question. In combination with the other script (email script) this can be a very helpful feature. This script can also be run every minute using cronjobs.
Nother way to secure that the attacker does not "block" these scripts would be to have another computer connected via serial console, which takes over the logging process. That way the logging computer would not be reachable from the network.
NOTE: i know that many of you hate the use of crons, this is only an example. You could use other means of executing the scripts regularly every minute. I hope this helps you.
Good luck.
Cheers.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote