Getting a TON of IP attacks... Request for Open-Sourced IDS program

Thu Nov 10 17:12:33 UTC 2005

Folks,

I am getting slammed with attacks to my site for which most
of the attempts are reported to me via my network appliance
but of course, that is only for those attacks that the NA knows
about - so I am just getting a bit concerned.  Those that do
not get through are things like certain corrupted-packets, port-spoofing,
port-scanning, unexposed port-attacks, DOS, DDOS as provided
by the NA but the ones that do get through are exposed port
attacks, broadcast packets, and other things God know what.
These are attempting to attack systems inside my firewall.

As for the Fedora box specifically, FireStarter is a nice tool for
easy management of the IPtables, and one nice feature is the
ablility to show in "real time" successful connections and denials
of connections which is nice but not comprehensive enough. So,
I am wondering is there is a really good port analyzer or security
tool that can show in (near) realtime, illegal connection attempts
and the ability to map these offender(s) to the origin of these
attacks with automatic abuse email deliveries to ISPs that are
responsible for their networks?

I am not looking for port analyzer per se, but if it can be used
with graphical displays of attackers as they unfold, that would
be nifty.  I an thinking along the lines of an old(?) program
called "black ice" with additional vendor support that tied into
it for graphical display with world maps - it was really cool
and it had the ability to generated abuses data for email delivery
and also allowed the administrator to preview for manual or
automatic delivery.  Perhaps what I am seeking is an IDS
(Intrusion Detection System) program for linux?  I am not looking
for commercial solutions as I do not have a tree that grows money :-(

I got some interesting attack attempts from LogWatch and thought
I would share this information and it surprised me a little esp.
WRT program argument level attacks...  I never realized that one
must be fairly diligent when it comes to security considerations.

Anyway, here it is:

/awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
/blog/xmlrpc.php: 1 Time(s)
/blog/xmlsrv/xmlrpc.php: 1 Time(s)
/blogs/xmlsrv/xmlrpc.php: 1 Time(s)
/cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
/cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
/drupal/xmlrpc.php: 1 Time(s)
/favicon.ico: 1 Time(s)
/phpgroupware/xmlrpc.php: 1 Time(s)
/wordpress/xmlrpc.php: 1 Time(s)
/xmlrpc.php: 2 Time(s)
/xmlrpc/xmlrpc.php: 1 Time(s)
/xmlsrv/xmlrpc.php: 1 Time(s)

Note that this is attempts from the httpd side, and I have yet to see if
LogWatch is capable of tracking and reporting illegal attempts to access
programs and run them remotely expecially if it should not be allowed.

Please let me know of your security experiences and recommendations!

Kind regards,
Dan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.12.8/165 - Release Date: 11/9/2005