File: README.how.to.interpret

package info (click to toggle)
logcheck 1.1.1-13.1woody2
  • links: PTS
  • area: main
  • in suites: woody
  • size: 624 kB
  • ctags: 20
  • sloc: sh: 721; makefile: 162; ansic: 150; perl: 57
file content (47 lines) | stat: -rw-r--r-- 2,097 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Interpreting Logcheck Results
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Only experience will tell you what is a problem and what is a mistake. 
Generally though you can assume that accidents don't repeat themselves 
and do not manifest themselves in unusual ways through normal use of 
system resources. If you have a hacker probing your system you can take
a couple of stances:

1) Ghandi
2) Atila the Hun

The Ghandi administrator just lets by-gones be by-gones and allows 
the person causing a problem to simply go away, this is a pretty 
good idea to follow and prevents provoking the hacker into doing 
something nasty like a denial of service attack.

The Atila the Hun administrator takes all actions seriously and 
defensively, they may try to find the hacker, or may set up 
automated tools to find out who the person is as the attack is in 
progress all while paging the administrator to notify them of 
trouble. This I think is excessive, for one, any system 
connected to the Internet should at least have good enough 
security to fend off an attack for a few hours. Personally, I'd 
rather be doing something else at 3AM than answering a page 
by my firewall for an attack that is going to fail anyway.

Typically you want to fall somewhere in between the two types. You 
should be passive for the more mundane probers and ankle-biters. 
Simply put, they aren't worth the time and energy to find. The more 
aggressive attackers should probably be dealt with through either 
denied hosts lists, or router filters. In the more aggressive 
stages I will also notify the system administrator of the site and 
the host-master for the domain of the problem and include a cut of the 
log file showing the infraction. 

Most importantly, DON'T OVER-REACT!! It is not necessary to flame 
a sysadmin of a site that has a hacker coming from it. A nice and 
polite note will usually be OK and will solve the problem! I prefer 
to let the site admins know that an account is being used for the 
activity because chances are good that the same account was hacked 
from them. 

-- Craig

crowland@psionic.com