On Sun, 1 May 2005, Timothy Murphy wrote:
> Am I right in thinking you are just scanning the ports of the
> dropped packets?
No, I'm *not* logging packets of common "MS vulnerability
worm/script-kiddie scan" packets.
I log all packets that hit the end of my infilter. Worm/kiddie crud
like that is just noise that I *don't* want to see in my logwatch
report. Hence I have my 'scans' chain to DROP such packets without
logging them.
The ssh thing is to try slow down brute-force attacks.
> If so, wouldn't it be simpler just to run LogWatch through a Perl
> script? Or is there some other information you are getting?
I get the ability to:
- *NOT* have my logwatch report cluttered with stuff about
common-garden MS-exploit scan packets. (hence the stuff that /does/
get through to my logwatch report *is* worth looking at in more
detail)
- Still have the ability to pull general statistics about rates of
such scans from iptables, on the odd occasion I care.
> Am I right to deduce from your and the other replies that the IP
> addresses of the dropped packets are completely irrelevant?
Mostly yes.
Also, I have chains to completely drop packets from several country.
My infilter looks like:
# iptables -L infilter
Chain infilter (4 references)
target prot opt source destination
chello-at tcp -- anywhere anywhere tcp dpt:http
attacks all -- anywhere anywhere
scans all -- anywhere anywhere
dns all -- anywhere anywhere
blackholes-malaysia all -- anywhere anywhere
blackholes-thailand all -- anywhere anywhere
h323 all -- anywhere anywhere
ssh-scan all -- anywhere anywhere
accepts all -- anywhere anywhere
mutella-stray tcp -- anywhere hibernia.jakma.org
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level debug prefix `infilter end: '
REJECT all -- anywhere anywhere reject-with icmp-admin-prohibited
I filter out packets from malaysia and thailand, as well as incoming
packet to HTTP from one Austrian ISP (they were riddled with HTTP
worms at some stage). I used to filter out korea and china too, but I
found I needed to download firmware from places there - I intend to
block them again though for non-TCP and TCP+NEW packets.
regards,
--
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
Fortune:
Serfs up!
-- Spartacus
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
