[CentOS] Interpreting logwatch

Wed Sep 8 16:17:05 UTC 2010
Bill Campbell <centos at celestial.com>

On Wed, Sep 08, 2010, Timothy Murphy wrote:
>Giles Coochey wrote:
>
>> The likelihood is that someone ran a vulnerability scanner against all
>> your available services, logwatch found evidence of that vulnerability
>> scan, and you should check whether any other vulnerabilities were scanned
>> for and perhaps found...
>> 
>> To do that you should manually check your log files or use a better tool.
>
>Such as ...

While fail2ban and swatch are good tools, apache mod_security is
probably better for dealing with this type of thing as it is
designed to minimize attacks on web services.

I think it's a mistake to discount any attacks involving php as
the vast majority of the systems I have had to clean up after
cracks have been compromised through php vulnerabilities, usually
in conjunction with weak user level passwords.

IHMO, admin tools like phpMyAdmin, webmin, and usermin should be
carefully restricted, preferably only accessible via a private
LAN, not from the public internet.  Use a VPN to access from the
public internet if necessary.  We don't install usermin in most
cases as I have seen it used to exploit security bugs on old SuSE
systems that permit root access.

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186  Skype: jwccsllc (206) 855-5792

all bureaucracies will bear close watching, and none more so than that
which comes into power in a wave of popular enthusiasm, and with the
avowed purpose of saving the country from ruin.  -- H.L. Mencken