[772] in Intrusion Detection Systems
syslog and qmail
daemon@ATHENA.MIT.EDU (Tracy R. Reed)
Mon Nov 25 18:15:19 1996
Date: Sat, 23 Nov 1996 23:45:26 -0800 (PST)
From: "Tracy R. Reed" <treed@straylight.ultraviolet.org>
To: ids@uow.edu.au
In-Reply-To: <Pine.SOL.3.91.961120173523.26627D-100000@psisa.com>
>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-ids
Precedence: bulk
Reply-To: ids
I have recently discovered a program called logcheck.
http://www.psionic.com/logcheck.html
It has proven *quite* useful in intrusion detection. I run tcpwrappers,
etc and log *.* so I collect quite a bit of info, but I could never have
the time to go over it by hand every day. logcheck is a logfile analyzer.
It is very configurable. I tell it what I am not interested in seeing and
what I am especially interested in seeing. It comes with sane defaults. It
analyzes the logs once an hour via crontab and mails the interesting bits
of the log to me. So far, I have found *lots* of DNS misconfigurations
where named was complaining, numerous failed shell and pop login attemps
(mostly people who forgot their passwords or had Eudora using the wrong
password), some lamers who tried to use the "wiz" and "debug" sendmail
commands, and a few other things I can't recall at the moment.
I also encourage everyone to check out qmail.
www.qmail.org
It is a sendmail replacement. It's *much* easier to use, has a *much*
better security model (only one small program runs as root as opposed to
the whole thing), and is much smaller and faster. I run a 1,400 person
mailing list on a 486/66 over a 28.8 modem. sendmail took a couple hours
to run through the whole list. qmail does it in two *minutes*. It is also
just as functional as sendmail. I have not found it lacking in any
features. It even handles virtual hosts.
----------
Tracy Reed
http://www.ultraviolet.org
http://www.linux.org - Escape the Gates of Hell
