On Tue, Jan 08, 2008 at 07:38:28AM -0800, Tom Eastep wrote: > Robert Moskowitz wrote: >> I have set my default rule to log info. I am seeing lots of probes on TCP >> port 22 and UDP port 1434. Does it make sense to put in specific rules to >> just drop these on the floor? I have mapped my SSH to a different port >> number. > > Configuring port-specific DROP rules is an option.
You can also simply not bother logging rejected connections. It's not really very interesting to know about all the attacks made on services that you aren't even running. It's pretty much all Windows worms anyway (except for the port 22 stuff, which is a botnet running dictionary attacks against ssh servers on every internet-connected host - it's been around for about five years now, consider it a lesson in why you should not create a user 'guest' with a password 'guest'). It would be rather more useful to log accepted connections instead of rejected ones. But if you're inclined to do that, you should run snort instead. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
