[KLUG Members] smoothwall questions

[Bert]

Andy wrote:

>Ok.. I downloaded and installed the latest beta and
>patches for smoothwall on an extra box. When I look at
>the web inteface it has a log for the firewall showing
>what IP's were blocked and what they were trying to
>do. When I go into var/log and look at the messages
>log I see other IP address that look to have connected
>to the smoothwall box.. being fairly new to the whole
>security side of linux (always been playing with the
>workstation aspect because it was behind a
>router/firewall already) is there a command that will
>show me any file access or changes that happened since
>the install. 
>
I recommend using tripwire. Basically you create an list of timestamps, 
file sizes, etc that you keep on a protected media (floppy, cdrom,...). 
If you run tripwire again you can have a list created of changed files. 
Keep your starting list short, restricted to the files that really 
matter (I should take the rpm database too), than tripwire can be very 
usefull.

>That and in the instance were I keep
>getting hit by 1 IP that is scanning all the ports..
>even now what would be a good way of dropping them or
>should I just report that IP to the ISP that shows up
>in Whois?
>
I should do both. The most effective is to drop them in /etc/hosts.deny, 
you need a tcpwrapper running, although I have read an article lately 
that you should never run a wrapper on a firewall. I always used 
tcp-wrappers on my firewall.

Don't expect much of reporting to your ISP. Most likely they won't be 
taking any action at all. And if you have a serious hacker on your door, 
they are most certain using someone else it's home-pc to be 
port-scanning you.

>take care and watch out.
>
>Bert.
>