Hello, I'm back. Perhaps against Charles Steinkuehler's advice (since I'm a bit of a packet filter newbie) but with Steve Jeppesen's recommendation to browse the archives of this list, I have LaBrea up and running on a single IP as follows:
1. edit /etc/init.d/LaBrea to run LaBrea with options -i eth0 -l -p 80000 -z -x -F /etc/Labrea.bpf 2. create file /etc/LaBrea.bpf containing dst host my.ext.IP.no and tcp[2:2] & 0xfc00 == 0 which supposedly limits LaBrea only to tcp packets directed at my IP between ports 0 and 1024 (I am not forwarding or running any services) 3. Let LaBrea go out of promiscuous mode by commenting out the call to ifconfig in /etc/init.d/LaBrea. It seems to work. I get "Teergrubing ..." messages in syslog, followed by a slew of denied attempts from the teergrubed IP. Problem is, these are getting out of hand. My logs are getting horribly choked - /var/log/messages easily gets up to a Mb in a few hours. There is one pernicious machine at 66.100.24.173 that has been hitting me on port 80 every few seconds all weekend. At least once my LEAF ram disk has filled up and the system spontaneously rebooted. I'm thinking my valiant little firewall (486, 16Mb RAM) may not really be suited to tackle these nasty worms and such, and I should go back to just ignoring the junk out there. Which brings me to a thought: This seems to be a way for worm authors to fight back at packages like LaBrea - just keep filling up the logs til the system chokes. Perhaps they've already figured this out!? Or maybe someone is making a conscious denial of service attack on me because of my tarpit... Any thoughts? Are there ways to cut down on LaBrea's activity? Clearly it would help a lot if I excluded port 80, but then there wouldn't be much point would there? Jabez __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
