From andreas@klemm.gtn.com  Wed Jun 24 10:23:57 1998
Received: from news1.gtn.com (news1.gtn.com [194.77.0.15])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA15122
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Jun 1998 10:23:50 -0700 (PDT)
          (envelope-from andreas@klemm.gtn.com)
Received: (from uucp@localhost)
	by news1.gtn.com (8.8.6/8.8.6) with UUCP id TAA01424
	for FreeBSD-gnats-submit@freebsd.org; Wed, 24 Jun 1998 19:15:30 +0200 (MET DST)
Received: (from andreas@localhost)
	by klemm.gtn.com (8.8.8/8.8.8) id TAA05810;
	Wed, 24 Jun 1998 19:05:44 +0200 (CEST)
	(envelope-from andreas)
Message-Id: <199806241705.TAA05810@klemm.gtn.com>
Date: Wed, 24 Jun 1998 19:05:44 +0200 (CEST)
From: Andreas Klemm <andreas@klemm.gtn.com>
Reply-To: andreas@klemm.gtn.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: enhancements to daily security script needed to detect intruders
X-Send-Pr-Version: 3.2

>Number:         7050
>Category:       misc
>Synopsis:       [SECURITY] enhance daily security script
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    andreas
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 24 10:30:01 PDT 1998
>Closed-Date:    Sat Jun 27 04:21:42 PDT 1998
>Last-Modified:  Sat Jun 27 04:22:51 PDT 1998
>Originator:     Andreas Klemm
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
Andreas Klemm
>Environment:

	FreeBSD -current and -stable

>Description:

	Our current daily security script doesn't notify about
	- repeated unsuccessful login attempts and
	- warning output of tcp_wrappers

>How-To-Repeat:

Things we should report are:

"refused connect from" by tcp_wrapper
and                                  
"LOGIN FAILURES FROM" by login       

See here:
Jun 22 05:17:43 titan telnetd[10520]: refused connect from 195.90.203.76
Jun 22 05:18:05 titan telnetd[10523]: refused connect from 195.90.203.76
Jun 22 05:20:22 titan telnetd[10951]: refused connect from 195.90.203.76
Jun 22 05:20:37 titan telnetd[10953]: refused connect from 195.90.203.76
Jun 22 05:21:04 titan telnetd[10955]: refused connect from 195.90.203.76
Jun 22 05:22:30 titan login: 2 LOGIN FAILURES FROM freefall.FreeBSD.ORG 
Jun 22 05:22:30 titan login: 2 LOGIN FAILURES FROM freefall.FreeBSD.ORG,
andreas                                                                 
Jun 22 05:23:39 titan login: 2 LOGIN FAILURES FROM freefall.FreeBSD.ORG 
Jun 22 05:23:39 titan login: 2 LOGIN FAILURES FROM freefall.FreeBSD.ORG, root
Jun 22 05:24:03 titan login: 1 LOGIN FAILURE FROM freefall.FreeBSD.ORG       
Jun 22 05:24:03 titan login: 1 LOGIN FAILURE FROM freefall.FreeBSD.ORG, ddd  

>Fix:

	diff <old_messages_file> <new_messages_file> | grep -i "login failure"
	diff <old_messages_file> <new_messages_file> | grep -i "refused connect"

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->suspended 
State-Changed-By: phk 
State-Changed-When: Thu Jun 25 00:26:50 PDT 1998 
State-Changed-Why:  
sounds like a good idea. 
awaiting patch & committer 
Responsible-Changed-From-To: freebsd-bugs->andreas 
Responsible-Changed-By: andreas 
Responsible-Changed-When: Sat Jun 27 04:20:53 PDT 1998 
Responsible-Changed-Why:  
will do necessary changes 
State-Changed-From-To: suspended->closed 
State-Changed-By: andreas 
State-Changed-When: Sat Jun 27 04:21:42 PDT 1998 
State-Changed-Why:  
did necessary changes in -current and -stable 
>Unformatted:
