I usually just log SYN packets coming in from the outside. Since you can't
connect without them, I just run a cron job to look at logged SYN packets,
where they're coming from, when the attempt was made, and what port. If I
don't recognize a connection attempt, I look up what's supposed to be using
that port.
This, of course, does absolutely nothing for exploits for services that are
running on the system, but then I run only ssh, iptables, and the one daily
cron'd run of ntpdate on the firewall (strange battery thing). Nothing else I
run uses any network resources, i.e. cron.
Glen
On Sunday 16 June 2002 02:12 am, you wrote:
> Does anyone have a recommendation for a log file viewer? I want to be able
> to quickly look them over and be alerted to new stlyes of attack without
> having to be a rocket scientist to set it up or use it.
>
> I am presently using KDE on Mandrake with the 2.4.17 kernel and running a a
> number of servers including http, ftp and ntp.
>
> Bill
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 12:48:03 EDT