* Monitoring a TARPIT
@ 2005-08-25 11:04 Gottmar Krakéliusz
2005-08-26 21:56 ` curby .
0 siblings, 1 reply; 3+ messages in thread
From: Gottmar Krakéliusz @ 2005-08-25 11:04 UTC (permalink / raw)
To: netfilter
Hi!
I use the TARPIT target to delay those brute force attacks on my SSH port.
Now I wonder if there is a way of getting some statistics on how many, which
IP:s and for how long they are caught.
AFAIK, I cant get ALL this by simply logging?
Gottmar
_________________________________________________________________
Hitta billigaste resan på MSN Resor
http://msn.flygvaruhuset.se/etravelstore/msn_se/ibe/air/search/search.jsp
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Monitoring a TARPIT
2005-08-25 11:04 Monitoring a TARPIT Gottmar Krakéliusz
@ 2005-08-26 21:56 ` curby .
0 siblings, 0 replies; 3+ messages in thread
From: curby . @ 2005-08-26 21:56 UTC (permalink / raw)
To: Gottmar Krakéliusz; +Cc: netfilter
On 8/25/05, Gottmar Krakéliusz <ulan.bator@hotmail.com> wrote:
> Hi!
> I use the TARPIT target to delay those brute force attacks on my SSH port.
> Now I wonder if there is a way of getting some statistics on how many, which
> IP:s and for how long they are caught.
> AFAIK, I cant get ALL this by simply logging?
If you put your logging rule right before the TARPIT rule, it should
log everything that would get to TARPIT. This will show you IPs that
get TARPIT-ed, and with some log analysis you could also find when,
how many, etc.
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: Monitoring a TARPIT
@ 2005-08-27 0:56 Gary W. Smith
0 siblings, 0 replies; 3+ messages in thread
From: Gary W. Smith @ 2005-08-27 0:56 UTC (permalink / raw)
To: curby ., Gottmar Krakéliusz; +Cc: netfilter
I tried that. We have a rule setup for ports 445 and 135-139. Let's just say that since this last round of viruses here is what tarpit has to say.
-rw------- 1 root root 489043093 Aug 26 19:49 messages
-rw------- 1 root root 787713009 Aug 26 04:47 messages.1
Luckily the firewall has 250gb drives.
With that in mind, you might want to rate limit your logging on this.
Gary
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of curby .
> Sent: Friday, August 26, 2005 2:56 PM
> To: Gottmar Krakéliusz
> Cc: netfilter@lists.netfilter.org
> Subject: Re: Monitoring a TARPIT
>
> On 8/25/05, Gottmar Krakéliusz <ulan.bator@hotmail.com> wrote:
> > Hi!
> > I use the TARPIT target to delay those brute force attacks on my SSH
> port.
> > Now I wonder if there is a way of getting some statistics on how many,
> which
> > IP:s and for how long they are caught.
> > AFAIK, I cant get ALL this by simply logging?
>
> If you put your logging rule right before the TARPIT rule, it should
> log everything that would get to TARPIT. This will show you IPs that
> get TARPIT-ed, and with some log analysis you could also find when,
> how many, etc.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-08-27 0:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-25 11:04 Monitoring a TARPIT Gottmar Krakéliusz
2005-08-26 21:56 ` curby .
-- strict thread matches above, loose matches on Subject: below --
2005-08-27 0:56 Gary W. Smith
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.