Robert Moskowitz wrote:
I have set my default rule to log info. I am seeing lots of probes on TCP port 22 and UDP port 1434. Does it make sense to put in specific rules to just drop these on the floor? I have mapped my SSH to a different port number.
Configuring port-specific DROP rules is an option. I personally use another option for reducing log pollution:
/etc/shorewall/shorewall.conf:
BLACKLIST_LOGLEVEL=''
/etc/shorewall/blacklist:
- udp 1024:1033,1434
- tcp 57,1433,1434,2401,2745,3127,3306,3410,48
/etc/shorewall/interfaces:
net ${EXT_IF} detect logmartians=1,blacklist
Rather than configuring a non-standard port for SSH, I prefer to use the
Limit action (see http://www1.shorewall.net/PortKnocking.html#Limit) to
control SSH noise; consequently, I don't blacklist TCP port 22. I also
enforce the use of shared keys for SSH authentication.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
