Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Recommendations on fluffy pretty stuff...
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
qubex
Tux's lil' helper
Tux's lil' helper


Joined: 06 Mar 2003
Posts: 133
Location: Portland
PostPosted: Wed Jun 11, 2003 4:38 am    Post subject: Recommendations on fluffy pretty stuff... Reply with quote
Hello! Thanks for reading this far.

For the last year I have been using Firestarter as my "gui of choice" for hacking out a firewall.sh script. This has been working superbly - no problems, no hackers, no open holes. I know it's not perfect, but the ability to see what is going on at any given moment is invaluable to me.

I am looking to upgrade/change software. I want something with a more "proactive approach" - something like watchguard's windows client - something that will interact with both IPTABLES and netstat and maybe even a packet sniffer and give me a realtime view of who is connected to what on my network, and who is hitting what port and whether it is open/closed/etc.

Is this possible? Does software exist like this yet?

Thanks!
matt
Back to top
View user's profile Send private message
uzik
Apprentice
Apprentice


Joined: 17 Apr 2003
Posts: 257
PostPosted: Wed Jun 11, 2003 4:03 pm    Post subject: Reply with quote
You might look up these words in your search engine

tarpit
honeypot
ethereal sniffer

There used to be a module for freesco that monitored for port scans
and banned the scanner for a time. You could whip this up in shell
script if you were inclined to
Back to top
View user's profile Send private message
qubex
Tux's lil' helper
Tux's lil' helper


Joined: 06 Mar 2003
Posts: 133
Location: Portland
PostPosted: Wed Jun 11, 2003 4:41 pm    Post subject: Reply with quote
Thanks for the recommendations.. Not quite what I was looking for. A combination of ethereal and firestarter I guess is what I am looking for. Ethereal by itself provides too much information, most of it unnecessary (for my needs) - firestarter provides good information on firewall hits, but what happens if a "nice" connection is made to an open port 80? This does not get displayed, rejected, or logged (other than through httpd logging facilities) Perhaps nothing like this exists in linux? Perhaps I have found my first project? :?

This is for my home. Let's say I'm at work and the boss says "weirdness is happening in dodge kimosabe, check for intruders" - what utility would I use, at a glance, to see who is currently connected to a machine? Who is currently being denied access to a machine? Netstat would do this *I think* - is there a gui for it? (I'm not oldskool, i can use CLI but prefer GUI)

(In other words, something that will show every connection, and/or attempted connection, through a particular machine or interface. It *should* be realtime but I can live with it..)

The honeypot is a great idea, when I have a little more money for an "extra box"!

Thanks!
Back to top
View user's profile Send private message
uzik
Apprentice
Apprentice


Joined: 17 Apr 2003
Posts: 257
PostPosted: Wed Jun 11, 2003 9:50 pm    Post subject: Reply with quote
qubex wrote:
Thanks for the recommendations.. Not quite what I was looking for. A combination of ethereal and firestarter I guess is what I am looking for. Ethereal by itself provides too much information, most of it unnecessary (for my needs) - firestarter provides good information on firewall hits, but what happens if a "nice" connection is made to an open port 80? This does not get displayed, rejected, or logged (other than through httpd logging facilities) Perhaps nothing like this exists in linux? Perhaps I have found my first project? :?


You can put options on iptables to log packets it passes through too
I thought. Sounds like all you need is to log everything and write
a program to parse the logged output.


qubex wrote:

The honeypot is a great idea, when I have a little more money for an "extra box"!
Thanks!


You can put multiple IP's on a single physical ethernet card...
Back to top
View user's profile Send private message
qubex
Tux's lil' helper
Tux's lil' helper


Joined: 06 Mar 2003
Posts: 133
Location: Portland
PostPosted: Thu Jun 12, 2003 3:23 pm    Post subject: Reply with quote
uzik wrote:

You can put options on iptables to log packets it passes through too
I thought. Sounds like all you need is to log everything and write
a program to parse the logged output.

Ahhh.. That is almost perfect. I know you can write to the log for every rule triggered - did not think about adding an "accepted" rule and having that write to the log. I'm slowly getting this.. 8) Thanks. Time to dig out the howtos and manuals on iptables..

uzik wrote:

You can put multiple IP's on a single physical ethernet card...

Would it be More Secure(c) to add multiple IPs to one card or to use another machine? I was under the impression that a honeypot is basically bait, and sometimes the quarry gets the bait.. ;-)
Back to top
View user's profile Send private message
herbie
Guru
Guru


Joined: 09 Oct 2002
Posts: 319
Location: London UK
PostPosted: Thu Jun 12, 2003 4:40 pm    Post subject: Reply with quote
you may also want to have a look at iptraf, it's a curses based realtime ip trafic monitor. I don't think that it'll show you what packets are getting rejected but it will definitly list all the current connections and tell you to which ports and from where.

Herbie
Back to top
View user's profile Send private message
qubex
Tux's lil' helper
Tux's lil' helper


Joined: 06 Mar 2003
Posts: 133
Location: Portland
PostPosted: Thu Jun 12, 2003 4:56 pm    Post subject: Reply with quote
Excellent! This was the other half of the puzzle I was looking for. Thanks for the suggestion! :D This will save a ton of time! Keep these suggestions coming! Any more programs like this??
Back to top
View user's profile Send private message
uzik
Apprentice
Apprentice


Joined: 17 Apr 2003
Posts: 257
PostPosted: Fri Jun 13, 2003 10:11 pm    Post subject: Reply with quote
qubex wrote:

Would it be More Secure(c) to add multiple IPs to one card or to use another machine? I was under the impression that a honeypot is basically bait, and sometimes the quarry gets the bait.. ;-)


It would be more secure to put it on another physical machine.
There's always the possibility they could figure out how to break past
the honeypot. I don't think it's really that important though. Once they
figure out you did it they can figure out where your other machines
are and go after them. A tarpit is probably better, it will slow down
the automated cracking tools and is less likely to expose you to legal
or retaliatory action.
Back to top
View user's profile Send private message
DrkPlague
Tux's lil' helper
Tux's lil' helper


Joined: 04 Jun 2003
Posts: 107
PostPosted: Sat Jun 14, 2003 8:14 am    Post subject: Reply with quote
snort is always a popular option. with the proper rule sets it can do almost anything.
_________________
DKP

There are 10 kinds of people in the world:
Those who understand binary and those who don't...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy