HostedDB - Dedicated UNIX Servers
-->
Internet Security Professional Reference:How to Build a Firewall
Previous Table of Contents Next


The Authentication Server Report

The authentication server report identifies various authentication operations that are carried out on the server. A typical report of authsrv-summ.sh looks like this:

pc# ./authsrv-summ.sh > /var/log/messages.0

Top 100 permitted user authentications (total: 6)
Logins        User ID
------        -------
4             admin
2             chrish

Top 100 failed user authentications (total: 2)
Attempts      Username
--------      --------
1             paulp
1             chrish

Authentication Management Operations
-----------------------------------
administrator ADDED admin
administrator ADDED admin
administrator ADDED chrish
administrator ADDED chrish
administrator ADDED paulp
administrator DELETED admin
administrator DELETED chrish
administrator ENABLED admin
administrator ENABLED chrish
administrator GROUP admin manager
administrator GROUP chrish production
administrator GROUP paulp copy
administrator GWIZ chrish
administrator GWIZ chrish
administrator GWIZ paulp
administrator PASSWORD admin
administrator PASSWORD chrish
administrator PROTOCOL admin
administrator PROTOCOL chrish
administrator UN-GWIZ chrish
administrator WIZ admin
administrator WIZ chrish

Notice that this and all the other reporting tools expect to read their data from the standard input stream. These reporting tools can do this by using the cat command with a pipe, or by redirecting the input stream from the log file.

The authsrv summary report lists the total authentication requests made and by whom, the denied authentication, and the authentication database management operations. If you run this report after a heavy period of user administration, it will be quite verbose.

The Service Denial Report

The purpose of the service denial report is to identify hosts that attempted to connect through the firewall and were not permitted. The report reads through the specified log file and reports on:

  The top 100 network service users
  The top 100 denied service users
  The total service requests by service

A sample execution of deny-summ.sh looks like this: 

pc# ./deny-summ.sh > /var/log/messages.0

Authentication Failures
Failures      Proxy: Host - ID
--------      ----------------
1             s: disable - paulp
1             ftp-gw: pc.unilabs.org/206.116.65.3 - chrish

Top 100 network service users (total: 152)
Connects      Host/Address
--------      ------------
120           stargazer.unilabs.org/206.116.65.2:
11            pc.unilabs.org/206.116.65.3:ftp
5             stargazer.unilabs.org/206.116.65.2:telnet
3             stargazer.unilabs.org/206.116.65.2:telnetd
3             stargazer.unilabs.org/206.116.65.2:ftpd
3             pc.unilabs.org/206.116.65.3:telnet
2             stargazer.unilabs.org/206.116.65.2:ftp
2             pc.unilabs.org/206.116.65.3:
1             unknown/206.116.65.2:
1             pc.unilabs.org/206.116.65.3:telnetd
1             pc.unilabs.org/206.116.65.3:ftpd

Top 100 Denied network service users (total: 12)
Connects      Host/Address
--------      ------------
2             stargazer.unilabs.org/206.116.65.2:telnet
2             pc.unilabs.org/206.116.65.3:ftp
1             unknown/206.116.65.2:110
1             stargazer.unilabs.org/206.116.65.2:telnetd
1             stargazer.unilabs.org/206.116.65.2:110
1             stargazer.unilabs.org/206.116.65.2:
1             pc.unilabs.org/206.116.65.3:2120
1             pc.unilabs.org/206.116.65.3:119
1             pc.unilabs.org/206.116.65.3:110
1             pc.unilabs.org/206.116.65.3:

Service Requests
Requests      Service
--------      -------
125
15            ftp
10            telnet
5             telnetd
4             ftpd
3             110
1             2120
1             119

The report can be used to highlight sites that have attempted unauthorized connections to the firewall; the report also highlights sites that are authorized to connect, but whose users do not know how, or have forgotten their passwords. All of these examples may be legitimate problems, or potential security breaches.

The FTP Usage Report

The FTP usage report identifies sites that are connected to ftp services through the firewall. It identifies the number of connections, the origin of the connection, and the amount of data transferred. A sample execution of ftp-summ.sh looks like this:

pc# cat /var/log/messages* | ./ftp-summ.sh
FTP service users (total: 23)
Connects      Host/Address
--------      ------------
13            stargazer.unilabs.org/204.191.3.147
5             pc.unilabs.org/206.116.65.3
3             pc.unilabs.org/204.191.3.150
2             stargazer.unilabs.org/206.116.65.2

Denied FTP service users (total: 4)
Connects      Host/Address
--------      ------------
2             pc.unilabs.org/206.116.65.3
2             nds.fonorola.net/204.191.124.252

FTP service output thruput (total Kbytes: 6)
KBytes        Host/Address
------        ------------
6             pc.unilabs.org/206.116.65.3

FTP service input thruput (total Kbytes: 4)
KBytes        Host/Address
------        ------------
3             pc.unilabs.org/206.116.65.3
0             stargazer.unilabs.org/206.116.65.2
0             stargazer.unilabs.org/204.191.3.147
pc#

As you can see in this report, several service denials occurred on this firewall. A couple came from an external site, but also an internal host attempted to access the site. Many sites choose to not allow FTP at all because of the potential problems associated with pirated software or virus infected software.


Previous Table of Contents Next