CentOS - Jul 2005 - Software to monitor security logs and email ISPs?

I know they have software that does this. I'm just not sure which one it
is. Basically here's the scoop. I'm on a cable modem connection with
Comcast. I have a firewall router and I run a firewall on CentOS as
well. All the same, other computers (probably zombies or hackers) are
attempting brute force attacks on a couple of ports on my computer. I've
just sat and watched them for some time. Not thinking that much of it.
But I'd like to actually do something about it and inform the ISPs of
said computers that that computer is compromised or being used by a
hacker. I know there is software out there that will monitor your logs,
reverse trace the IP address, and contact the ISP saying that at X time
on X day X IP address tried to brute force hack my machine. I guess it's
one of those things where I'm sick of seeing it come up in my security
log, so I'd like to start sending email to the ISPs to tell them to do
their job and enforce their rules for all the Windoze users out there.
But I don't want to take the time to do it manually. Any suggestions?

Preston

> I know there is software out there 
> that will monitor your logs, reverse trace the IP address, 
> and contact the ISP saying that at X time on X day X IP 
> address tried to brute force hack my machine. I guess it's 
> one of those things where I'm sick of seeing it come up in my 
> security log, so I'd like to start sending email to the ISPs 
> to tell them to do their job and enforce their rules for all 
> the Windoze users out there.
> But I don't want to take the time to do it manually. Any suggestions?
> 
Take a look at http://www.dshield.org/

-jeff

Preston Crawford <me at prestoncrawford.com>
wrote:
> I have a firewall router
<OT-Comment>
Is it a "Router" or a 'Ritter?
http://thebs413.blogspot.com/2005/07/ritters-because-most-natpat-devices.html
</OT-Comment>
> and I run a firewall on CentOS as well.
Does either have an intrusion detection system (IDS) or some
other form of real-time packet and/or non-real-time log
analysis?
> I guess it's one of those things where I'm sick of seeing
it
> come up in my security log, so I'd like to start sending
> email to the ISPs to tell them to do their job and enforce
> their rules for all the Windoze users out there.
Well, most ISPs already have thin margins to work on.  But
yes, the larger providers should be contacted, especially
when a major block of theirs is infected.
> But I don't want to take the time to do it manually. Any
> suggestions?
I already saw someone mention DShield.ORG, which seems to be
the most popular right now.

On more corporate networks with ununsed IPs, I like to use
various port fakers that accept a SYN, but don't accept their
ACK.  That keeps the zombies tied up and busy, expoentially
reducing the number of hosts they can attack.


-- 
Bryan J. Smith                 mailto:b.j.smith at ieee.org
Sent from Yahoo Mail (please excuse any missing headers)

Preston Crawford wrote:
> I know they have software that does this. I'm just not sure which one
it
> is. Basically here's the scoop. I'm on a cable modem connection
with
> Comcast. I have a firewall router and I run a firewall on CentOS as
> well. All the same, other computers (probably zombies or hackers) are
> attempting brute force attacks on a couple of ports on my computer.
I've
> just sat and watched them for some time. Not thinking that much of it.
> But I'd like to actually do something about it and inform the ISPs of
> said computers that that computer is compromised or being used by a
> hacker. I know there is software out there that will monitor your logs,
> reverse trace the IP address, and contact the ISP saying that at X time
> on X day X IP address tried to brute force hack my machine. I guess
it's
> one of those things where I'm sick of seeing it come up in my security
> log, so I'd like to start sending email to the ISPs to tell them to do
> their job and enforce their rules for all the Windoze users out there.
> But I don't want to take the time to do it manually. Any suggestions?
> 
Could you bend something like denyhosts.sf.net to do the job?

There is an EL4 package at
http://centos.karan.org/el4/extras/stable/i386/RPMS/


-- 
Karanbir Singh   : http://www.karan.org/
GnuPG Public Key : http://www.karan.org/publickey.asc