I finally have my system running the way I want it to. The only problem is I need to see who is connecting to my system. I would like to log SSH and Apache. Is their a good program to help analys your logs, tell you who is connecting, and look for hack atempts? Only 5-10 people should use SSH and I am not sure how much trafic the server will get.

Thanks,
Falcon

SSH logs everything through syslog. Your syslog.conf determines where its log messages go.

Use logcheck. It runs off of cron at regular intervals (I like every 15 minutes) and e-mails any anomolous log entries to you.

Apache's logging is defined in your httpd.conf file.

I think that someone tried to see if my server had an exploit or something. In my apache logs I found:

Error Log:
[Sat Jun 9 23:53:40 2001] [error] [client 144.230.240.2] Invalid URI in request GET x HTTP/1.0

Access Log:
144.230.240.2 - - [09/Jun/2001:23:53:40 +0800] "GET x HTTP/1.0" 400 256 "-" "-"

I am pretty sure that this isn't a normal user as they did not send their web browser info. I scanned them with nessus (hehehe) and found a LOT of ports open. I found it is running:

echo 7
discard 9
daytime 13
chargen 19
ftp 21
telnet 23
time 37
finger 79
sunrpc 111
exec 512
login 513
shell 514
printer 515
uucp 540
? 600
? 1103
? 4045
X11 6000
? 6112
xfs 7100
? 32771-32777

NMAP says it is running Solaris 2.6-2.7 but the FTP banner says SunOS 5.6. Have I been scanned by a script kiddie?

Thanks,
Falcon

Now, be nice. That's not polite. :)

They might not actually be running services on all those ports. They could be running Portsentry or something like that that holds ports open as tripwires.

I've never heard of any Apache explit that consisted simply of making a request for a file called "x". If it is, I haven't seen it before.

It's really not a good idea to do relataliatory portscans. If your computer is secure, there's no need to respond to attacks, unless they're persistent in which case you should contact the attackers ISP. Portscans can get you banned from your ISP even if they weren't meant maliciously, and even if nobody reports it -- th ISP can log it automatically as it passes through their routers and zap you. Also, the request could have come from a sporged IP, in which case you'd be portscanning an innocent person. Also, you could offend the script kiddie and cause he and his 212 leet friends to ping you for a week or so -- probes and attempted exploits are nothing to worry about if your box is secure, but there's no real way to stop most DoS attacks, so try not to provoke them.

Each, sometimes if I'm at the console when somebody portscans me, I'll portscan them back for a couple seconds just to let them know there's somebody alive who's watching them, but it's not really a good idea.

(Oh yeah, maybe you can answer a Nessus question for me. How do you actually use it? I see that there's a Nessus client and a Nessus daemon. Do you install the daemon on the server you want to scan, and then use the client to connect to it, or do you install the daemon on your own system then connect to it and scan other systems?)

Ok, I will be nice. I thought it might be a error exploit that involved bad server requests or something.

About your Nessus question. A Nessus server is running on the computer that does the scanning. You connect to the server with the client, give the server the info, and it will scan a target. The connection port can be firewalled off and users can be set for local access only if you want. I installed the RPMs for RedHat as the source did not want to cooperate (not that I am any good at compiling things anyways). It works great, REALLY detailed reports.

Thanks for your help,
Falcon

Okay, I'm going to give Nessus a try now. I tried SATAN and wasn't very impressed with it. The interface was garbage, and it didn't actually DO much: from my computer at home I aimed it at my server at work, and all it managed to tell me was the system's fully-qualified domain name and the fact that it was running "unknown operating system" (aka Linux). SATAN has been described by paranoid journalists as "like giving high-powered fully-loaded rocket launchers to schoolchildren" so I was kinda expecting a LITTLE bit more out of it than that.

We'll see how Nessus does...

Nessus uses NMAP to power its scanning and OS detection (optional). You should use it as it is the best. Also, Unless you turn on Fast Scan and turn off TraceRoute (unless you want it, it in Plugins,Misc) it will take FOREVER.

Falcon

Okay, Nessus is a LOT better than Satan. It didn't find any vulnerabilities (except that Linux doesn't use truly random TCP sequences -- which we can't do anything about), but it did collect banners from several services and managed to guess what OS I'm running. Sorta. "Linux, Solaris, or MacOS." Close enough...

Last time, I didn't do the dangerous scans. Tonight, I'm going to do the dangerous scans also, and see if it finds anything new.