How can I detect attacks / probes / portscans on my server?
772
I'm writing a script to monitor attacks and probes on my server. But I'm primarily just grepping /var/log/messages for interesting information. Where else do I look?
In addition to Fail2Ban look at DenyHosts. They work a little differently, so one might fit better in your environment than the other. The two lightest weight log monitoring tools I've used have been LogWatch and logsentry.
LogWatch is a fairly standard tool these days. It normally runs nightly, parses through a bunch of logs and will email a nice report of the daily activity. Things like user logins, sudo commands, disk utilization, as well as generally weird log messages. In my experience, this tool is almost never tuned and the default config provides sufficiently good results.
Logsentry (formerly logcheck) runs more frequently, normally hourly, and is strictly a log message parser. It contains a whitelist of normal messages and assumes that anything else is bad. Those bad messages then get compiled together and emailed out. This tool can require quite a bit of tuning. You must make sure that it both monitors all the log files you want, as well as making sure it knows what is normal in your environment.
Both are nice tools, and different enough that running both isn't necessarily redundant. In the past I had used LogWatch to give me a nice summary of the state of the system each day, with logsentry letting me know when something out of the ordinary happened.
I run Shorewall as the firewall with a log drop policy. I use a dshield log parser to report port probes to dshield.org, and copy me with the log file. The logcheck tool also scans my logs once an hour and report any interesting data.
I find port scans are not done that frequently now. It may be that use of tools like fail2ban makes port scans not that attractive any more.
Snort is a lightweight network intrusion detection system. It monitors network traffic and analyzes it against a rule set defined by the user.
Fail2ban scans log files. It supports SSH, HTTP, VOIP, MTA, and user definition rules.
In addition to Fail2Ban look at DenyHosts. They work a little differently, so one might fit better in your environment than the other. The two lightest weight log monitoring tools I've used have been LogWatch and logsentry.
LogWatch is a fairly standard tool these days. It normally runs nightly, parses through a bunch of logs and will email a nice report of the daily activity. Things like user logins, sudo commands, disk utilization, as well as generally weird log messages. In my experience, this tool is almost never tuned and the default config provides sufficiently good results.
Logsentry (formerly logcheck) runs more frequently, normally hourly, and is strictly a log message parser. It contains a whitelist of normal messages and assumes that anything else is bad. Those bad messages then get compiled together and emailed out. This tool can require quite a bit of tuning. You must make sure that it both monitors all the log files you want, as well as making sure it knows what is normal in your environment.
Both are nice tools, and different enough that running both isn't necessarily redundant. In the past I had used LogWatch to give me a nice summary of the state of the system each day, with logsentry letting me know when something out of the ordinary happened.
I run Shorewall as the firewall with a log drop policy. I use a dshield log parser to report port probes to dshield.org, and copy me with the log file. The logcheck tool also scans my logs once an hour and report any interesting data.
I find port scans are not done that frequently now. It may be that use of tools like fail2ban makes port scans not that attractive any more.