> I am wondering what could I use as a unused IP for LaBrea? Is it possible
to use a class C number ie; 192.168.x.x? I only receive one IP from AT$T to
connect to the net, so I was thinking maybe I could hook up a spare computer
to the network behind the LRP (DCD v1.0.2) box, and let some of those
annoying port 80 machines come in and get tar-pitted. Thing is, I have been
sending my logs to AT$T and complaining about them weekly now for about a
month. Seems some of the IP's from AT$T have been taken care of but still
receiving hundreds of entries in the logs on a daily routine. Of coarse I
could also just stop logging those messages as well. Just thought I would
be a nice guy and keep AT$T informed - seems they do not care!
>
> Anybody using LaBrea like this or know a way I could use it with 1 IP?
Thanks for any guidance.
> Steve
If you want to run LaBrea using a private space IP, you'll probably need
another Dachstein system to run it on. Then just stick it on your internal
network, and port-forward anything you want blocked to an unused IP on the
internal net. This is not a particularly clean solution, but may be easiest
if you don't understand netfilter rules, and have an extra machine handy.
You also have less chance of messing anything up this way, since LaBrea is
not directly connected to your upstream link...
The cleaner way to do this is to setup LaBrea to listen on your external IP.
Any traffic that is DENIED by the firewall rules can be captured by LaBrea,
but you have to write filter rules for it. I experimented some with this,
but never got something I'd be happy packaging.
PLEASE NOTE: LaBrea is an advanced networking tool, that talks *DIRECTLY*
to the network, and can potentially be VERY DANGEROUS to properly operating
networks. Please *DO NOT* run LaBrea if you don't feel comfortable you've
got a reasonable understanding of how it works. Remember, LaBrea is a tool
to to annoy port-scanners, which it does a very good job at. A bit of
mis-application, however, and you could inadvertently kill access to a good
chunk of your cable-modem segment, possibly keeping your friends and
neighbors offline until a cable-modem technician figures out he needs to
flush the arp-cache on your head-end router...anyone want to bet on exactly
how long that might take?
With the disclaimer out of the way, the basic procedure would be:
- Configure LaBrea to *NOT* capture IP addresses (you've only got a single
IP anyway, and while those on cable-modems might be able to grab additional
IP's, you should play nice with your neighbors and the cable company, and
grabbing extra IP's (even for tarpitting) would probably violate your terms
of use).
Use the -x switch for LaBrea to disable IP address capturing
- Stop the interface from running in promiscuous mode. Edit
/etc/init.d/LaBrea, and add a minus "-" in front of the promisc flag for the
ifconfig command. It should now read: "ifconfig eth0 -promisc"
- Write a BPF (Berkeley Packet Filter) ruleset for the packets you want
LaBrea to see (and hence respond to). The traffic you want processed by
LaBrea should meet the following criteria:
* Destined to your public IP
* TCP traffic
* Inbound packets will be *DENIED* by firewall rules
For normal Dachstein systems, all "low" TCP ports (ie ports between 0 and
1023 inclusive) meet this criteria, unless there are some you're actually
using (ie port-forwarding www, smtp, ssh, &c). A BPF file that does this
would be:
dst host 1.2.3.4
and tcp[2:2] & 0xfc00 == 0
and not dst port (ssh or ftp or www)
The first line matches your IP address (set 1.2.3.4 to whatever your IP
address is...you'll have to use a script to generate the BPF file if your IP
is dynamic).
The second line matches all "low" TCP ports (ie the destination port field
of the TCP header is less than 1024). This rule also matches only TCP
traffic, since we specified a field in a TCP header.
The third rule prevents any expected traffic from being matched, allowing
port-forwarded services to work properly. If you're not running any
services you can delete the last line...if you *ARE* running services, make
sure each is properly listed or strange things will happen. This example
system is running an ssh, ftp, and web server. Note you can also use
port-numbers...ie: (22 or 21 or 80) is identical to the above (ssh or ftp or
www).
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
