[Dshield] Perhaps some silly questions, but...

Brenden Walker BKWalker at DRBSystems.com
Thu Sep 19 01:18:17 GMT 2002


Thanks, ended up like so:

/sbin/iptables -N DUMP > /dev/null
/sbin/iptables -F DUMP
/sbin/iptables -A DUMP -p tcp -j LOG
/sbin/iptables -A DUMP -p udp -j LOG
/sbin/iptables -A DUMP -j DROP

Reason being, I prefer to drop all packets, instead of rejecting... The
downside of that is that UDP packet scans from scan.sygatetech.com show
ports as being open which is odd.  I suspect that it's a problem with their
scanner.

One last thing I have to wonder about, should I turn off portsentry so that
the attempts get logged?  Hm, may have answered my own question, simply set
portsentry.conf to use the DUMP table instead of DROP..

Thanks!  Things look like they are working, I'll have to monitor my sent
mail...  I'm just happy to perhaps add some data to the 'cause' ;-)


-----Original Message-----
From: Ed Truitt [mailto:ed.truitt at etee2k.net]
Sent: Tuesday, September 17, 2002 7:13 PM
To: list at dshield.org
Subject: Re: [Dshield] Perhaps some silly questions, but...


I create a table in IPTABLES called "DUMP" using the following:

# create DUMP table
/sbin/iptables -N DUMP > /dev/null
/sbin/iptables -F DUMP
/sbin/iptables -A DUMP -p tcp -j LOG
/sbin/iptables -A DUMP -p udp -j LOG
/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A DUMP -j DROP

Then, for things I don't want to get through, I just jump the to that chain,
thusly:

/sbin/iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DUMP

Hope this helps (or at least that is doesn't expose my ignorance TOO badly
8^}

----- Original Message -----
From: "Brenden Walker" <BKWalker at DRBSystems.com>
To: <list at dshield.org>
Sent: Tuesday, September 17, 2002 1:35 PM
Subject: [Dshield] Perhaps some silly questions, but...


> I'd like to submit my logs, but darn there's so many ways to do so.. None
of
> which work "out of the box" for me.
>
> Is anybody parsing apache logs for codered/nimbda 'attacks' and sending
that
> up?  I currently dump most of that stuff to /dev/null but perhaps it could
> be useful.
>
> I'm using iptables, but currently not setup to log any attempts.  In fact
> I'm not even sure how to go about doing that, and I'd hate to change my
> carefully tweaked and secured configuration and accidentally leave an
> opening.  Can anybody direct me to resources that describe how to Log
> attempts as well as drop/reject them?
>
> I'm also using portsentry, tried the current client and before It's not
> working for portsentry 1.1, I presume I'll have to 'tweak' the client
parser
> for that?  I'd upgrade, but my interface has a dynamic IP (well, hasn't
> changed in quite a while, but it could) and the 2.x version of portsentry
> requires you enter the IP address of the protected interface.
>
> Thanks for listening ;-).  Feel free to say "RTFM" on any and all
questions,
> I'd just hate to re-invent the wheel.
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list