iptable log-message
Tony Nelson
tonynelson at georgeanelson.com
Mon May 28 17:25:39 UTC 2007
At 8:08 PM -0700 5/27/07, jdow wrote:
>From: "Tim" <ignored_mailbox at yahoo.com.au>
>> Harald Hoyer
>>>>> ------- iptables firewall Begin --------
>>>>>
>>>>> Logged 171 packets on interface eth0
>>>>> From 137.227.xxx.xxx - 171 packets to tcp(N1,N2,N3,...,Nn)
>>
>>
>> jdow:
>>> The log message suggests that iptables is already dropping or
>>> rejecting the packets and logging them.
>>
>> Not intuitively... That says it logged them, it doesn't explicitly say
>> it's logged prevented connections. It'd be less worrying for people if
>> it said "logged and dropped packets," or words to that effect. For all
>> you know, it's logged something unusual that *happened*.
>>
>> --
>> (This box runs FC6, my others run FC4 & FC5, in case that's
>> important to the thread.)
>
>That depends on the way the firewall is setup. Mine, which is a roll
>your own firewall, ends up looking like this:
>
> Logged 472 packets on interface eth1
> From 8.36.154.121 - 1 packet to udp(1026)
> From 12.129.147.9 - 6 packets to udp(33436)
> From 22.157.218.75 - 1 packet to udp(1026)
>....
>
>Those are all dropped and logged.
...
Mine say "Rejected". I use these IPTables rules:
>-A RH-Firewall-1-INPUT -p tcp --syn --dport 21:22 -m recent --name sshattack --set
>-A RH-Firewall-1-INPUT -p tcp --dport 21:22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix "SSH REJECT: "
>-A RH-Firewall-1-INPUT -p tcp --dport 21:22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j DROP
With them, my LogWatch reports say things like:
> --------------------- Kernel Begin ------------------------
>
>
>Rejected 6 packets on interface eth0
> From 88.193.244.106 - 3 packets to tcp(22)
> From 220.228.254.42 - 3 packets to tcp(22)
>
> ---------------------- Kernel End -------------------------
Or the section name may be "iptables firewall".
>
>
> --------------------- pam_unix Begin ------------------------
>
>sshd:
> Authentication Failures:
> unknown (220.228.254.42): 3 Time(s)
> unknown (dsl-ssg2-fff4c100-106.dhcp.inet.fi): 3 Time(s)
> Invalid Users:
> Unknown Account: 6 Time(s)
>
>
> ---------------------- pam_unix End -------------------------
...
There's also a longish SSHD section. I don't get much use out of the SSHD
section, or even the pam_unix section.
--
____________________________________________________________________
TonyN.:' <mailto:tonynelson at georgeanelson.com>
' <http://www.georgeanelson.com/>
More information about the users
mailing list