[KLUG Members] smoothwall questions
Bert
members@kalamazoolinux.org
Mon, 04 Aug 2003 13:14:06 +0200
Andy wrote:
>Ok.. I downloaded and installed the latest beta and
>patches for smoothwall on an extra box. When I look at
>the web inteface it has a log for the firewall showing
>what IP's were blocked and what they were trying to
>do. When I go into var/log and look at the messages
>log I see other IP address that look to have connected
>to the smoothwall box.. being fairly new to the whole
>security side of linux (always been playing with the
>workstation aspect because it was behind a
>router/firewall already) is there a command that will
>show me any file access or changes that happened since
>the install.
>
I recommend using tripwire. Basically you create an list of timestamps,
file sizes, etc that you keep on a protected media (floppy, cdrom,...).
If you run tripwire again you can have a list created of changed files.
Keep your starting list short, restricted to the files that really
matter (I should take the rpm database too), than tripwire can be very
usefull.
>That and in the instance were I keep
>getting hit by 1 IP that is scanning all the ports..
>even now what would be a good way of dropping them or
>should I just report that IP to the ISP that shows up
>in Whois?
>
I should do both. The most effective is to drop them in /etc/hosts.deny,
you need a tcpwrapper running, although I have read an article lately
that you should never run a wrapper on a firewall. I always used
tcp-wrappers on my firewall.
Don't expect much of reporting to your ISP. Most likely they won't be
taking any action at all. And if you have a serious hacker on your door,
they are most certain using someone else it's home-pc to be
port-scanning you.
>take care and watch out.
>
>Bert.
>