tech-security: Security centre

Subject: Security centre
To: None <tech-security@netbsd.org>
From: Jan Danielsson <jan.danielsson@gmail.com>
List: tech-security
Date: 02/05/2006 19:59:52
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig45427DA64FD6EE0A3FF6F9E8
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hello all,

   I have set my NetBSD server to log all traffic (via pf and tcpdump),
and I have written an apache2 mod_python interface for reviewing the
logs. Pretty soon, I realized that there are quite a few people(?) who
are trying to get in on port 22. I cross checked with /var/log/authlog,
and sure enough.. All the ``users=B4=B4 "user", "user1", "student",
"oracle", etc have tried to gain access.

   In my web app, I have a reporting system. I can list all inbound port
22 connections, click on a host, and it creates a report containing all
the relevant connections. It performs a "whois" lookup to find the
appropriate abuse-address, etc.. Now, I would also like to include the
relevant /var/log/authlog entries in case the port in question was port 2=
2.

   However, /var/log/authlog is getting rotated, but I can't figure
where/how often, etc. If I would perform a query at a "bad time", I
assume the log entry could have been archived. So I would like to find a
more fail safe way to catch the "bad logins".

   Reviewing "man syslog.conf", I realized that there's something called
"filters". I wonder: Could I send log entries destined for authlog to a
script of my own, where I check for sshd and an address, and store such
entries in my postgres database?

   Is there any other relevant data which I could include in my abuse
report generation?

--=20
Kind Regards,
Jan Danielsson
Te audire non possum. Musa sapientum fixa est in aure.


--------------enig45427DA64FD6EE0A3FF6F9E8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFD5kss8wBCTJQ8HEIRApcjAKCS5181WsCTweF0d2Yn3GISWVzViACff3IG
BcvC5KChppJS+Jg3bnb17tE=
=yaq4
-----END PGP SIGNATURE-----

--------------enig45427DA64FD6EE0A3FF6F9E8--