[Dshield] Question about logging from Linux and security newbie

Johannes Ullrich jullrich at euclidian.com
Tue Oct 22 04:55:41 GMT 2002


 
> The first thing that happened is that my log started filling up with all
> sorts of broadcast and multicast stuff...

post a few packets to this list. Cable modems in particular send Multicast
packets. While there is no harm in rejecting them, you don't need to log
them either.
  
> First, is there a security concern from any of this? 

Multicast and broadcasts can be used for DDOS attacks (e.g. it appears
that last evenings DDOS against the root name servers used 'smurf'.).
I usually drop any ICMP on my firewall. The question is how much of it
you want to log. For my personal firewall:

- log every droped packet, but use the 'log-prefix' to classify them.
- use 'swatch' to alert me only on certain categories. I start out
  with 'everything' and add 'ignore' filters as I get sick of certain
  alerts.
  
> If not, how do I drop it so my logs don't fill up and I can start
> submitting again without the clutter?

What are your rules right now? By default, packets are dropped without
logging. BTW: Logging is very helpful to debug problems, which is
why I log everything.



-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021022/67b20d9b/attachment.bin


More information about the list mailing list