NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-Linux> 2000-q3

Subject: Re: Server activity
From: Guilherme Mesquita (guyLINUXBR.COM.BR)
Date: Fri Sep 22 2000 - 09:24:07 CDT

Next message: Guilherme Mesquita: "Re: security ratings"
Previous message: Chris Jones: "Re: security ratings"
Maybe in reply to: Guoda Rugeviciute: "Server activity"
Next in thread: Vitaly Osipov: "Re: Server activity"
Maybe reply: Guilherme Mesquita: "Re: Server activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Turn the broadcast on, ping the broadcast address and find if the servers
are down or up. The same for clients if you need.

The portscan I THINK you can make some snort rules and stop with the
problems...
But you can also make a script parsing the logs from ipchains and trying to
guess what is and what's not a portscan, and simply deny for some seconds
the access of the machine to the network (or to outside the network :).

On Thu, 21 Sep 2000, Guoda Rugeviciute wrote:
> Date: Thu, 21 Sep 2000 17:36:30 +0300
> To: FOCUS-LINUXSECURITYFOCUS.COM
> From: Guoda Rugeviciute <guodaDOKEDA.LT>
> Reply-To: Focus on Linux Mailing List <FOCUS-LINUXSECURITYFOCUS.COM>
> Subject: Server activity
>
> Hello,
>
> situation:
>
> a rather big network. computers connected like this:
>
> xxx.xxx.xxx.xxx (real IP)
> ____________________|________________
> | | |
> 192.168.1.X 192.168.1.Y 192.168.1.Z
> |
> |---192.168.2.X
> |
> |---192.168.2.Y
> |
> |---192.168.2.Z
>
> etc.
>
> All those computers - linux boxes, each of them has from 2 to 8 win
> computers connected.
>
> How could I monitor the activity of those servers? I mean - how some
> other
> server xxx.xxx.xxx.xxY could be notified if the server 192.168.2.Z is
> down?
>
> Another problem - suppose a user at his workstation which is connected to
> 192.168.2.Y is doing something I and others don't like (portscan , for
> example) Is it possible to find out which one is doing this? (well, some
> other method than logging almost everything with ipchains and sending
> to some log-server).
>
> As far as I know the first problem could be easily solved in "real" ip
> situation. But what could be done if all the addreses are local?
>
>
> Guoda

--
.--------------------.
| Guilherme Mesquita |
| guylinuxbr.com.br |
| UIN # 5864338      |
`--------------------'

Next message: Guilherme Mesquita: "Re: security ratings"
Previous message: Chris Jones: "Re: security ratings"
Maybe in reply to: Guoda Rugeviciute: "Server activity"
Next in thread: Vitaly Osipov: "Re: Server activity"
Maybe reply: Guilherme Mesquita: "Re: Server activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]