Topic: Intrusion Detection

[Brian High]

Does e-smith have any intrusion detection system
in place?

I found a good article on this here:
http://www.securityfocus.com/focus/linux/articles/linux-ids.html

... and it got me thinking.

--Brian

[Michael]

Brian High wrote:

> Does e-smith have any intrusion detection system in place?
>
> I found a good article on this here:
> http://www.securityfocus.com/focus/linux/articles/linux-ids.html
>

Thanks for the article. I installed portsentry on my e-smith 4.0b7 out of an available rpm and it works fine. After 24h I found the first attack alert in the logs:

Jun  7 13:15:45 re-pc29 portsentry[748]: attackalert: Connect from host: 194.25.220.***/194.25.220.*** to TCP port: 111
Jun  7 13:15:45 re-pc29 portsentry[748]: attackalert: External command run for host: 194.25.220.*** using command: "/bin/mail -s portsentry+194.25.220.***+111 ***@*** < mail.txt"
Jun  7 13:15:45 re-pc29 portsentry[748]: attackalert: Host 194.25.220.230 has been blocked via wrappers with string: "ALL: 194.25.220.***"
Jun  7 13:15:45 re-pc29 portsentry[748]: attackalert: Host 194.25.220.230 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 194.25.220.*** -j DENY -l"

Michael