Re: iptable log-message

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 8:08 PM -0700 5/27/07, jdow wrote:
>From: "Tim" <ignored_mailbox@xxxxxxxxxxxx>
>> Harald Hoyer
>>>>> ------- iptables firewall Begin --------
>>>>>
>>>>>  Logged 171 packets on interface eth0
>>>>>    From 137.227.xxx.xxx - 171 packets to tcp(N1,N2,N3,...,Nn)
>> 
>> 
>> jdow:
>>> The log message suggests that iptables is already dropping or
>>> rejecting the packets and logging them.
>> 
>> Not intuitively...  That says it logged them, it doesn't explicitly say
>> it's logged prevented connections.  It'd be less worrying for people if
>> it said "logged and dropped packets," or words to that effect.  For all
>> you know, it's logged something unusual that *happened*.
>> 
>> -- 
>> (This box runs FC6, my others run FC4 & FC5, in case that's
>> important to the thread.)
>
>That depends on the way the firewall is setup. Mine, which is a roll
>your own firewall, ends up looking like this:
>
> Logged 472 packets on interface eth1
>   From 8.36.154.121 - 1 packet to udp(1026) 
>   From 12.129.147.9 - 6 packets to udp(33436) 
>   From 22.157.218.75 - 1 packet to udp(1026) 
>....
>
>Those are all dropped and logged.
 ...

Mine say "Rejected".  I use these IPTables rules:

>-A RH-Firewall-1-INPUT -p tcp --syn --dport 21:22 -m recent --name sshattack --set
>-A RH-Firewall-1-INPUT -p tcp --dport 21:22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix "SSH REJECT: "
>-A RH-Firewall-1-INPUT -p tcp --dport 21:22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j DROP

With them, my LogWatch reports say things like:

> --------------------- Kernel Begin ------------------------ 
>
>
>Rejected 6 packets on interface eth0
>  From 88.193.244.106 - 3 packets to tcp(22)
>  From 220.228.254.42 - 3 packets to tcp(22)
>
> ---------------------- Kernel End ------------------------- 

Or the section name may be "iptables firewall".

>
>
> --------------------- pam_unix Begin ------------------------ 
>
>sshd:
>   Authentication Failures:
>      unknown (220.228.254.42): 3 Time(s)
>      unknown (dsl-ssg2-fff4c100-106.dhcp.inet.fi): 3 Time(s)
>   Invalid Users:
>      Unknown Account: 6 Time(s)
>
>
> ---------------------- pam_unix End ------------------------- 
 ...

There's also a longish SSHD section.  I don't get much use out of the SSHD
section, or even the pam_unix section.
-- 
____________________________________________________________________
TonyN.:'                       <mailto:tonynelson@xxxxxxxxxxxxxxxxx>
      '                              <http://www.georgeanelson.com/>
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux