Tips&Tricks Realtime firewall alerts

[aru]

 

daYz

Frequent user

Joined: 01 May 2002

Posts: 73

Location: The Netherlands

 

Post Posted: Thu May 02, 2002 6:54 pm Post subject: Realtime firewall alerts

_________________________________________________________________

 

 

This command comes in handy if you want real time alerts if your firewall does not support them:

 

Open a terminal (K->terminals)

 

type su (This way you get superuser (root) status, so you can do al the things where you must be root for.(like file editing or so)

 

Your password

 

Then:

 

tail -f /var/log/messages (Or another log file)

 

This way you will be noticed about attacks on your computer in real time.

 

If you see another ip behind SRC= its likely that your being attacked. 192.168.*.* is from your internal network.

 

Enjoy.

 

 

mwilliams15

Frequent user

Joined: 01 May 2002

Posts: 68

Location: central N.C., USA

Post Posted: Fri May 03, 2002 9:05 am Post subject:

_________________________________________________________________

 

 

You can download the root-tail app and have the messages displayed directly to your desktop, set your font, colors-makes for a pretty funky look. See it in action here. Upper left corner, please forgive the smeared colors.

 

 

arusabal

Moderator

Joined: 17 Apr 2002

Posts: 836

Location: Spain

Post Posted: Fri May 03, 2002 9:46 am Post subject:

_________________________________________________________________

 

 

There is a tool called swatch which is very useful in this case. It's just a watcher to monitor system activity. It can be very useful if it's configured to search for patterns and to perform an action when such patterns are found.

 

Example of usage:

 

Code:

"swatch --config-file=~/.swatchrc --tail-file=/var/log/messages"



 

 

Where ~/.swatchrc is the config file, which could be like this:

 

Code:

                      watchfor /Relaying denied|expn/

                               echo=normal

           mail=root@localhost,subject=--- Sendmail Alert! ---

                            throttle 5:00 0:16



 

 

In the example, "/Relaying denied|expn/", if swatch matches either pattern in the regular expression, it will send an alert. The first pattern "Relaying denied" is the result of someone attempting an unauthorized mail relay. The pattern "expn" is the result of someone attempting to use the expn command. The "echo=normal,mail=root@localhost" will email a warning to root and echo the matched log entry. The third and fourth field (which are optional), have "5:00 0:16". This states do not repeat any warning for identical patterns matched within 5 minutes. The last field states the location and length of the timestamp.

 

You'll find more in man swatch

 

 

michael

Frequent user

Joined: 14 Jul 2002

Posts: 92

Post Posted: Sun Jul 14, 2002 9:04 pm Post subject: Is it for...?

_________________________________________________________________

 

 

Is it for all linux or is it only for openlinux...?

 

Any Idea

 

 

MArk

Frequent user

Joined: 11 Jul 2002

Posts: 80

Location: Dublin, Ireland

Post Posted: Sun Jul 14, 2002 9:41 pm Post subject:

_________________________________________________________________

 

 

openlinux??? Question as in caldera?

 

 

b

Frequent user

Joined: 22 Apr 2002

Posts: 82

Location: Québec

Post Posted: Fri Aug 16, 2002 5:51 am Post subject:

_________________________________________________________________

 

 

xtail: for me a very recently encoutered gem.

 

It can watch every file in say /var/log (not it's directorys) like so:

 

xtail /var/log

 

It's ancient.

It's tiny.

 

It's at

http://www.unicom.com/sw/xtail/

 

2e4717c591a2cbbd4aeb63d00c87a0cb xtail-2.1.tar.gz

filesize 26769

 

Very short manpage and readme included.

 

Small is beautiful.

 

 

bvc81

Eric

Joined: 04 Jun 2002

Posts: 1014

Location: Houston, Texas

Post Posted: Fri Aug 16, 2002 6:13 am Post subject:

_________________________________________________________________

 

 

For anyone interested in tail -f /var/log/messages (Or another log file) and not interested in having to open a terminal and entering the command (and if you don't know how to) put something like this in you ~/.xinitrc to run at the startup of your WM.

 

(sleep 1; Eterm --trans --shade 20 -g 85x15+00+00 -e tail -f /var/log/messages) &

 

Use any terminal you want, and if it supports it, any size.

 

 

 

Editor's note: This thread was originally posted at the old MUB (Mandrake User Board at club-nihil). This post is the result of a 99% automatic backup, so due to its nature some text may be lost (improbable but possible).