|
Previous | Table of Contents | Next |
The Authentication Server Report
The authentication server report identifies various authentication operations that are carried out on the server. A typical report of authsrv-summ.sh looks like this:
pc# ./authsrv-summ.sh > /var/log/messages.0 Top 100 permitted user authentications (total: 6) Logins User ID ------ ------- 4 admin 2 chrish Top 100 failed user authentications (total: 2) Attempts Username -------- -------- 1 paulp 1 chrish Authentication Management Operations ----------------------------------- administrator ADDED admin administrator ADDED admin administrator ADDED chrish administrator ADDED chrish administrator ADDED paulp administrator DELETED admin administrator DELETED chrish administrator ENABLED admin administrator ENABLED chrish administrator GROUP admin manager administrator GROUP chrish production administrator GROUP paulp copy administrator GWIZ chrish administrator GWIZ chrish administrator GWIZ paulp administrator PASSWORD admin administrator PASSWORD chrish administrator PROTOCOL admin administrator PROTOCOL chrish administrator UN-GWIZ chrish administrator WIZ admin administrator WIZ chrish
Notice that this and all the other reporting tools expect to read their data from the standard input stream. These reporting tools can do this by using the cat command with a pipe, or by redirecting the input stream from the log file.
The authsrv summary report lists the total authentication requests made and by whom, the denied authentication, and the authentication database management operations. If you run this report after a heavy period of user administration, it will be quite verbose.
The Service Denial Report
The purpose of the service denial report is to identify hosts that attempted to connect through the firewall and were not permitted. The report reads through the specified log file and reports on:
A sample execution of deny-summ.sh looks like this:
pc# ./deny-summ.sh > /var/log/messages.0 Authentication Failures Failures Proxy: Host - ID -------- ---------------- 1 s: disable - paulp 1 ftp-gw: pc.unilabs.org/206.116.65.3 - chrish Top 100 network service users (total: 152) Connects Host/Address -------- ------------ 120 stargazer.unilabs.org/206.116.65.2: 11 pc.unilabs.org/206.116.65.3:ftp 5 stargazer.unilabs.org/206.116.65.2:telnet 3 stargazer.unilabs.org/206.116.65.2:telnetd 3 stargazer.unilabs.org/206.116.65.2:ftpd 3 pc.unilabs.org/206.116.65.3:telnet 2 stargazer.unilabs.org/206.116.65.2:ftp 2 pc.unilabs.org/206.116.65.3: 1 unknown/206.116.65.2: 1 pc.unilabs.org/206.116.65.3:telnetd 1 pc.unilabs.org/206.116.65.3:ftpd Top 100 Denied network service users (total: 12) Connects Host/Address -------- ------------ 2 stargazer.unilabs.org/206.116.65.2:telnet 2 pc.unilabs.org/206.116.65.3:ftp 1 unknown/206.116.65.2:110 1 stargazer.unilabs.org/206.116.65.2:telnetd 1 stargazer.unilabs.org/206.116.65.2:110 1 stargazer.unilabs.org/206.116.65.2: 1 pc.unilabs.org/206.116.65.3:2120 1 pc.unilabs.org/206.116.65.3:119 1 pc.unilabs.org/206.116.65.3:110 1 pc.unilabs.org/206.116.65.3: Service Requests Requests Service -------- ------- 125 15 ftp 10 telnet 5 telnetd 4 ftpd 3 110 1 2120 1 119
The report can be used to highlight sites that have attempted unauthorized connections to the firewall; the report also highlights sites that are authorized to connect, but whose users do not know how, or have forgotten their passwords. All of these examples may be legitimate problems, or potential security breaches.
The FTP Usage Report
The FTP usage report identifies sites that are connected to ftp services through the firewall. It identifies the number of connections, the origin of the connection, and the amount of data transferred. A sample execution of ftp-summ.sh looks like this:
pc# cat /var/log/messages* | ./ftp-summ.sh FTP service users (total: 23) Connects Host/Address -------- ------------ 13 stargazer.unilabs.org/204.191.3.147 5 pc.unilabs.org/206.116.65.3 3 pc.unilabs.org/204.191.3.150 2 stargazer.unilabs.org/206.116.65.2 Denied FTP service users (total: 4) Connects Host/Address -------- ------------ 2 pc.unilabs.org/206.116.65.3 2 nds.fonorola.net/204.191.124.252 FTP service output thruput (total Kbytes: 6) KBytes Host/Address ------ ------------ 6 pc.unilabs.org/206.116.65.3 FTP service input thruput (total Kbytes: 4) KBytes Host/Address ------ ------------ 3 pc.unilabs.org/206.116.65.3 0 stargazer.unilabs.org/206.116.65.2 0 stargazer.unilabs.org/204.191.3.147 pc#
As you can see in this report, several service denials occurred on this firewall. A couple came from an external site, but also an internal host attempted to access the site. Many sites choose to not allow FTP at all because of the potential problems associated with pirated software or virus infected software.
Previous | Table of Contents | Next |