From: Joel Newkirk <netfilter@newkirk.us>
To: George Chacon <please.help.me@comcast.net>,
Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: Re: How to keep record of repeat attackers?
Date: Thu, 13 Mar 2003 02:40:27 -0500 [thread overview]
Message-ID: <200303130240.27139.netfilter@newkirk.us> (raw)
In-Reply-To: <PKEJLPJCFBFLJJPHMGPIAEBDCAAA.please.help.me@comcast.net>
On Thursday 13 March 2003 02:19 am, George Chacon wrote:
> >>Your first problem is defining "offenders", then "repeat offenders"
> >> and "attackers". Do you mean simply to track everyone who attempts
> >> to connect to you? I presume you don't expect much if any
> >> legitimate incoming NEW traffic if this is the intent?
>
> Thanks for the response Joel. What I'd like to track are the IP
> addresses that get denied or rejected, and the deny/reject rules that
> get accessed frequently. In other words, I'd like to track repeated,
> obvious, malicious connections. I'd like to know if the same person
> is relentlessly chipping away at my firewall, looking for weaknesses.
For that you can use a combination of "iptables -L -v -n" (List, verbose
to list counts, numeric instead of trying to resolve IPs) to list the
rules with packet and byte counts that have matched each, and the LOG
target just before the DROP (same rule with "-j LOG" instead of "-j
DROP") to log more detailed info, like IPs, portnums, TTL and packet
size.
The list (if you have many rules) could be done with "iptables -L -v -n |
grep DROP" to show only DROP rules.
The LOG target logs via syslog as a kernel message, so it usually goes to
/var/log/messages. That gets a little cluttered. It's easier if you
edit /etc/syslog.conf and add something like "kern.=debug
/var/log/firewall" near the top, then restart syslog with "service
syslogd restart" as root. Now kernel messages of level "debug" (level
7) will go to that log file instead of the default. (unless you're
debugging your kernel that stream's pretty quiet) The final key is to
add the option "--log-level 7" after the LOG target. You can also add
'--log-prefix "LOGCOMMENT"' as well, and all the log entries for that
rule will have LOGCOMMENT prefixed before the info. This makes for
easier sorting and identification in the log file.
> I'll take a look at http://ntop.org. That looks pretty good.
Actually it seems very nice, but AFAIK it is unable to see anything that
is DROPped or REJECTed... Still poking about with it.
j
next prev parent reply other threads:[~2003-03-13 7:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-13 1:20 How to keep record of repeat attackers? George Chacon
2003-03-13 3:24 ` Joel Newkirk
2003-03-13 7:19 ` George Chacon
2003-03-13 7:40 ` Joel Newkirk [this message]
2003-03-13 8:50 ` George Chacon
2003-03-13 9:19 ` Eric Leblond
2003-03-13 15:46 ` George Chacon
2003-03-13 19:34 ` Bill Davidsen
2003-03-13 20:29 ` Aldo S. Lagana
-- strict thread matches above, loose matches on Subject: below --
2003-03-14 16:50 George Chacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200303130240.27139.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=netfilter@lists.netfilter.org \
--cc=please.help.me@comcast.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.