From: George Chacon <please.help.me@comcast.net>
To: netfilter@newkirk.us,
Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: RE: How to keep record of repeat attackers?
Date: Wed, 12 Mar 2003 23:19:40 -0800 [thread overview]
Message-ID: <PKEJLPJCFBFLJJPHMGPIAEBDCAAA.please.help.me@comcast.net> (raw)
In-Reply-To: <200303122224.55297.netfilter@newkirk.us>
>>Your first problem is defining "offenders", then "repeat offenders" and
>>"attackers". Do you mean simply to track everyone who attempts to
>>connect to you? I presume you don't expect much if any legitimate
>>incoming NEW traffic if this is the intent?
Thanks for the response Joel. What I'd like to track are the IP addresses
that get denied or rejected, and the deny/reject rules that get accessed
frequently. In other words, I'd like to track repeated, obvious, malicious
connections. I'd like to know if the same person is relentlessly chipping
away at my firewall, looking for weaknesses.
I'll take a look at http://ntop.org. That looks pretty good.
George
-----Original Message-----
From: Joel Newkirk [mailto:netfilter@newkirk.us]
Sent: Wednesday, March 12, 2003 7:25 PM
To: George Chacon; Netfilter Mailing List
Subject: Re: How to keep record of repeat attackers?
On Wednesday 12 March 2003 08:20 pm, George Chacon wrote:
> Hi,
>
> I'm an iptables newbie, and have a question about logging repeat
> offenders. Is it possible to have my firewall box remember incoming IP
> addresses, and generate a report showing which attackers keep coming
> back?
>
> Thank you,
>
> George Chacon
With iptables there are only two ways to do record information (apart
from simply the packet/byte counts that match each rule): the LOG
target (formatted header information, basically, written to syslog) or
the ULOG target with an external accounting package.
Your first problem is defining "offenders", then "repeat offenders" and
"attackers". Do you mean simply to track everyone who attempts to
connect to you? I presume you don't expect much if any legitimate
incoming NEW traffic if this is the intent?
You might also want to look at http://ntop.org . I've had it running on
my gateway for about a week now, and am delighted by the depth of detail
and the variety of views it offers. Network load, protocol
distribution, etc are available along with per-IP information on
everyone who has connected, tracking when they've connected, what
protocols, bad packets, and much more.
j
next prev parent reply other threads:[~2003-03-13 7:19 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-13 1:20 How to keep record of repeat attackers? George Chacon
2003-03-13 3:24 ` Joel Newkirk
2003-03-13 7:19 ` George Chacon [this message]
2003-03-13 7:40 ` Joel Newkirk
2003-03-13 8:50 ` George Chacon
2003-03-13 9:19 ` Eric Leblond
2003-03-13 15:46 ` George Chacon
2003-03-13 19:34 ` Bill Davidsen
2003-03-13 20:29 ` Aldo S. Lagana
-- strict thread matches above, loose matches on Subject: below --
2003-03-14 16:50 George Chacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PKEJLPJCFBFLJJPHMGPIAEBDCAAA.please.help.me@comcast.net \
--to=please.help.me@comcast.net \
--cc=netfilter@lists.netfilter.org \
--cc=netfilter@newkirk.us \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.