>
> hmm... I'm just a touch confused by all this...
> When someone logs into one of our portmasters, on the loghost one of the
> following appears (depending on the account):
> Jul 11 17:34:41 <portmaster name> user: host <host name of where they came
> from> admin login succeeded
> Jul 11 17:55:07 <portmaster> user: host <host> <userid> login failed
> Jul 11 17:55:13 <portmaster> user: host <host> <userid> login succeeded
That's for a normal login... what about when someone tries !root from a
telnet? I haven't found a reference yet in the radius log for failed !root
attempts and I know I should have generated a ton of them.
>
> Now of course you have to be running ComOS 3.5 or better (pretty sure 3.5
> added this), have the loghost set in the portmasters _and_ set the
> portmasters to do it..
>
> 'set syslog' is the command.
I'll see about upgrading. Unfortuinately that's not my decision to make. I
can present a good argument tho... =)
>
> Maybe I'm missing the whole point here but thats loging the info the
> orginal person asked for. (except for passwords and I'd scream loud and
> hard if it did that)
I'd like to log all the failed !root attempts. I'd also like to log failed
password attemptd for two reasons>
1> Better quality control. Spot a user having trouble before they
complain. Excellent pr.
2> Find out if someone is trying to hack at a particular account. I had my
program checking for my account and it got it, eventually. I could
make a program that checks for more than say.. 15 attempts and flag a
notice.
incidentally one way to prevent this was to set up a filter for outside
at the router.
<--net filter port 23 on portmaster
-----------||||||-router----portmaster----modems
Since each portmaster is hanging off a router we can block outside
attempts to gain !root.
Now the goal is to protect the portmaster from inside the network
<--net filter filter port 23
--------------|||||-router----portmaster--|||||---modems
but instead of doing a blanket filter we want to allow certain
individuals, not necessarily on the same segments, access to telnet into
the portmaster. So the filter must allow certain usernames from anywhere
from within the network. A most elegant problem.
Unfortunately we don't have a manual. At least one that shows how to set
up filters properly. If the filter is entered incorrectly someone has to
trek across state with laptop in tow to repair the damage. It aint gonna
be me... =)
>
> and if your the real paranoid type you can log the commands that are
> executed on the boxes also. Yep gotta love them manuals
Its not that I'm paranoid.. Considering how quickly I gained the
portmaster root and my own password I, and my coworkers, need to come up
with ways to better protect ourselves. Especially since we are one of the
largest isp's in central illinois... We're a good target for many
wannnabe's. I'm not the only person who knows how to make these programs.
Rob
Systems Programmer "Open the doors of your stores
rob@fgi.net 24 hours a day"
morgan@springpatch.com Springpatch Mall
http://www.springpatch.com