I'm trying to understand my LEAF log files better. Feel free to point me at
docs or other things I should be reading.
My DachStein firewall is dying every so often (once every few weeks) and I
am wondering whether there is some DoS attack going on - or more likely
just dodgy hardware.
I had to reboot my DachStein machine yesterday but afterwards got this....
Is this someone doing a port scan? It looks like they are only trying a few
ports...
Mar 10 05:38:42 firewall -- MARK --
Mar 10 06:33:48 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63969
80.1.127.26:23 L=40 S=0x00 I=3717 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:48 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63969
80.1.127.26:21 L=40 S=0x00 I=2262 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:48 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63969
80.1.127.26:22 L=40 S=0x00 I=16708 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:49 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63970
80.1.127.26:23 L=40 S=0x00 I=30406 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:49 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63970
80.1.127.26:21 L=40 S=0x00 I=36393 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:49 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63970
80.1.127.26:22 L=40 S=0x00 I=58515 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:49 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63971
80.1.127.26:23 L=40 S=0x00 I=61644 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:49 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63971
80.1.127.26:21 L=40 S=0x00 I=15196 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:49 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63971
80.1.127.26:22 L=40 S=0x00 I=41291 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:50 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63972
80.1.127.26:22 L=40 S=0x00 I=43047 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:50 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63972
80.1.127.26:21 L=40 S=0x00 I=24176 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:50 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63972
80.1.127.26:23 L=40 S=0x00 I=57920 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:51 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63973
80.1.127.26:22 L=40 S=0x00 I=25069 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:51 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63973
80.1.127.26:21 L=40 S=0x00 I=42596 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:51 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63973
80.1.127.26:23 L=40 S=0x00 I=15117 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:51 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63974
80.1.127.26:22 L=40 S=0x00 I=11636 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:51 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63974
80.1.127.26:21 L=40 S=0x00 I=42041 F=0x0000 T=33 SYN (#39)
Mar 10 06:33:51 firewall kernel: Packet log: input DENY eth0 PROTO=6
194.84.34.34:63974
80.1.127.26:23 L=40 S=0x00 I=12657 F=0x0000 T=33 SYN (#39)
Presumably restarting syslogd is normal since it has to rotate the logs?
:: messages ::
Mar 10 06:42:07 firewall syslogd 1.3-3#31.slink1: restart.
Mar 10 06:47:03 firewall syslogd 1.3-3#31.slink1: restart.
Mar 10 09:38:42 firewall -- MARK --
Alex McLintock
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
