Here are my options for running LaBrea with only one IP; -i eth0 -l -p 80000 -z -x -F /etc/LaBrea.bpf
It has been while since I set it up (Thanks to Charles and Simons help) but if I remember right, the -x tells LaBrea to not capture an IP for it's use. The -F /etc/Labrea.bpf setting is just a file it refers to - if - the assigned I.P. from my ISP changes, not too sure if you would need that using DSL. I've set up LaBrea to monitor anything below port 1025 so it tarpits quite a bit of IP's on a daily basis. Here are a couple of entries in my syslog; May 5 11:53:42 firewall kernel: Packet log: input DENY eth0 PROTO=6 212.160.139.38:2916 24.118.176.41:21 L=60 S=0x00 I=12455 F=0x4000 T=46 SYN (#67) May 5 11:53:42 firewall /usr/sbin/LaBrea: Teergrubing: 212.160.139.38 2916 -> 24.118.176.41 21 The first is just s SYN attempt against my firewall, the second is LaBrea kicking in and "tarpitting" (Terrgrubing) the offending IP. It also does the port 80 thing - which is what LaBrea was made for; May 5 13:18:06 firewall /usr/sbin/LaBrea: Teergrubing: 24.118.68.34 3941 -> 24.118.176.41 80 May 5 13:19:09 firewall /usr/sbin/LaBrea: Teergrubing: 24.118.178.85 2413 -> 24.118.176.41 80 May 5 13:19:36 firewall /usr/sbin/LaBrea: Teergrubing: 24.118.68.34 4015 -> 24.118.176.41 80 May 5 13:21:06 firewall /usr/sbin/LaBrea: Teergrubing: 24.118.68.34 3916 -> 24.118.176.41 80 There are some messages posted here from earlier this year that give excellent advise in using LaBrea with one IP. Try to do a search for them, but if you need further help yell and I will see what I can do. Good Luck, Steve On Sun, 5 May 2002 07:11:41 -0700 (PDT) Jabez McClelland <[EMAIL PROTECTED]> wrote: > OK, I opened port 80. Now I get the following log > action: > > May 5 06:12:49 firewall sh-httpd[2284]: refused > connect from dsl092-171-025.wdc1.dsl.speakeasy.net > May 5 06:12:54 firewall sh-httpd[2285]: refused > connect from dsl092-171-025.wdc1.dsl.speakeasy.net > May 5 06:13:03 firewall sh-httpd[2286]: refused > connect from dsl092-171-025.wdc1.dsl.speakeasy.net > > I think I understand now, and I believe I'm trying to > do something dumb. I am just a lowly home DSL customer > with a single external IP. Now I'm thinking that > LaBrea needs spare EXTERNAL IP addresses to do > anything. That is, it needs to see incoming traffic > on an external (real world) IP that is assigned to me, > but I'm not using. I think the only traffic coming > down my DSL line is directed at my single IP. Is > this correct? I was thinking before that LaBrea could > work with all my internal 192.168.1.xxx IPs, but maybe > not... > > Jabez > > > Jabez: > > > > Easy to do: you can adjust your firewall ruleset to > > let those packets destined for a webserver (ie, > > TCP-port 80) > > "in". So, have the LEAF disk ACCEPT those packets, > > and let > > LaBrea tarpit them. Alternatively, to keep your LEAF > > disk > > lean, port-forward it's port 80 to port 80 on an > > internal > > machine that you have running LaBrea. Same effect... > > > > Since LaBrea is the only thing that receives the > > data connection, your overall security hit is > > reduced to the > > security of LaBrea. Which, in my understanding, has > > been > > pretty well scrutinized. > > > > Kinda fun, in a way. :) > > > > -Scott > > > > > > On Fri, 3 May 2002, Jabez McClelland wrote: > > > > > > > > --- "Scott C. Best" wrote: > > > > Jabez: > > > > > > > > Heya. As you probably know, that log looks like > > a > > > > CodeRed worm (an IIS web-server virus from early > > > > last year). > > > > It also looks like your firewall is simply > > blocking > > > > this > > > > packet before any other process can see it, > > > > including LaBrea. > > > > This seems to me a Good Thing. :) > > > > > > > > > > Thanks, Scott for responding... > > > > > > Yes I suppose it's a good thing - but an even > > better > > > thing would be if LaBrea could catch that worm and > > > hold onto it for some time, like it's supposed to > > do. > > > Maybe the trick is to open up the firewall rules > > in > > > order to get LaBrea to do its job? Nothing in the > > > docs about that... > > > > > > Jabez > > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Health - your guide to health and wellness > http://health.yahoo.com > > _______________________________________________________________ > > Have big pipes? SourceForge.net is looking for download mirrors. We supply > the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] > > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
