Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Iptables/FW och min /var/log/ipt.log
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Scandinavian
View previous topic :: View next topic  
Author Message
patrix_neo
Guru
Guru


Joined: 08 Jan 2004
Posts: 520
Location: The Maldives
PostPosted: Fri Nov 26, 2004 9:57 pm    Post subject: Iptables/FW och min /var/log/ipt.log Reply with quote
Hej! Ett delikat problem för någon att tyda... jag har följande LOG-regler i mina iptables:

Code:
# LOG bad TCP packets:
# ALL without FIN,URG,PSH bit set == BAD
$IPTABLES -A INPUT -i $INETIF -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "FW_BADTCP:"


och jag får följande i min /var/log/ipt.log:
Code:

Nov 26 08:46:00 as8-6-1 FW_BADTCP:IN=eth0 OUT= MAC=00:20:af:be:72:d3:00:20:1a:10:cf:5c:08:00 SRC=62.168.112.124 DST=217.215.148.17 LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=46100 DF PROTO=TCP SPT=1054 DPT=6881 WINDOW=65535 RES=0x04 ECE URG RST SYN FIN URGP=0
Nov 26 08:46:00 as8-6-1 FW_BADTCP:IN=eth0 OUT= MAC=00:20:af:be:72:d3:00:20:1a:10:cf:5c:08:00 SRC=62.168.112.124 DST=217.215.148.17 LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=46100 DF PROTO=TCP SPT=1054 DPT=6881 WINDOW=65535 RES=0x04 ECE URG RST SYN FIN URGP=0


Är det någon som kan förklara detta? :oops:

Vad jag fattat det som är detta en mer 'listig' attack och undrar om jag skall flitrera adressen som "svartlistad host" ?
Sedermera så fattar jag att han har följande MAC-adress: 00:20:1a:10:cf:5c:08:00. Är ju bra om man skall svartlista "badguys" ?

För den med syslog-ng så har jag följande syntax för att logga mina ipt_LOG regler:
Code:

destination ipt_log { file("/var/log/ipt.log"); };
destination ipt_console { file("/dev/tty11"); };
#filter iptables { match("FW_BADTCP:"); };
filter ipt_log { program(iptables); };
filter ipt_log { match("FW_BADTCP:"); };
filter messages { not match("FW_BADTCP:"); };
#log { source(src); filter(iptables); destination(ipt_log); destination(ipt_console); };
log { source(src); filter(ipt_log); destination(ipt_log); destination(ipt_console); };


Om dom är så smidiga är en annan femma, men någonstans ska man börja också. :)

[edit: ändrade MAC-adress]
_________________
Life is a fog where some thinks to know where to go
To make an error is human, letting it be is the error.
Deus Vult
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Scandinavian All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy