On Tue, Jan 23, 2001 at 11:45:28AM -0500, Gord Mc . Pherson wrote:
> Hi,
>
> Perhaps 'iptraf' or 'netwatch' (both available on freshmeat) and 'netstat' could
>be used to identify what/who is generating the traffic on your system. I'd also
>concur with a previous comment about 'portsentry', since it's possible to spoof an
>address and have portsentry block it.. it there for becomes an effective tool for a
>hacker to use as a DoS. For example, I could find out what your ISP's DNS servers
>are, spoof those addresses and have your portsentry block them. This would cut you
>off from the net until you manually corrected it.
Ipchains (and I would assume iptables) has a log feature that will log any
packets that hit any rule with a -l in it, for instance, here was a guy
trying ftp:
Jan 18 15:21:00 marvin kernel: Packet log: input DENY eth1 PROTO=6 213.51.164.222:3336
24.14.189.245:21 L=48 S=0x00 I=15284 F=0x4000 T=117 SYN (#9)
Jan 18 15:21:03 marvin kernel: Packet log: input DENY eth1 PROTO=6 213.51.164.222:3336
24.14.189.245:21 L=48 S=0x00 I=15347 F=0x4000 T=118 SYN (#9)
another trying sunrpc:
Jan 18 22:16:10 marvin kernel: Packet log: input REJECT eth1 PROTO=6
211.116.51.17:2100 24.14.189.245:111 L=60 S=0x00 I=33380 F=0x4000 T=51 SYN (#13)
yet another trying DNS (comming from another dns server, hrmm)
Jan 23 03:43:00 marvin kernel: Packet log: input DENY eth1 PROTO=6 148.235.3.71:53
24.14.189.245:53 L=40 S=0x00 I=39426 F=0x0000 T=27 SYN (#10)
You get the idea. No special software needed, just good 'ole ipchains.
BTW: Could you try to keep lines to <80 characters? (Nevermind the fact that
I just broke that rule with the firewall logs).
--
Jordan Bettis <http://www.hafd.org/~jordanb/>
Showing up is 80% of life.
-- Woody Allen
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
