[Nottingham] iptables log analysis
Duncan John Fyfe
nottingham at mailman.lug.org.uk
Sat Sep 20 12:18:07 2003
On Thu, 18 Sep 2003, Martin wrote:
> Duncan John Fyfe wrote:
> [...]
>
>
> Also, I'd be interested if you've done anything about the worm pings.
> (Wandering between 0.1kBytes/s and 4.8kBytes/s here at the moment.)
>
I started dropping them based on length (92) as you suggested. Now
my logs are sufficiently clear I can see a few other things in their
of more or less interes.
I do various 'scan' checks on both INPUT and OUTPUT iptables.
The idea being, if my machine is sending out something I would consider a 'scan' or 'not quite right'
I'd like to know about it.
I've not investigated very far but the flowing rule:
$IPTABLES -A bad_tcp -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 5 -j LOG --log-level info --log-prefix " IPT: Stealth scan "
registers a few (well okay 8 in the space of >~ 1 minute):
Sep 19 15:30:35 dragon kernel: IPT: Stealth scan IN= OUT=eth0 SRC=<myIPaddress> DST=194.83.57.7 LEN=40 TOS=0x02 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1028 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
This coincides with either an apt-get update or delete.
Maybe I've made the test too sensitive but I'll need to take a look.
> Cheers,
> Martin
>
>
>
Have fun,
Duncan
--
Duncan John Fyfe X-ray Astronomy Group,
Dept. of Physics & Astronomy,
Phone +44 116 252 3635 University of Leicester,
E-mail djf@star.le.ac.uk University Road,
Leicester, LE1 7RH, U.K.