I've been one of many that have lately had a ton of logs with dns floods and http scans. I figured that I would go and SILENT_DENY them yesterday. I did and my logs stayed empty the rest of the day.
Today I checked the weblet and I had http SYN packets in my logs. So, I go down and set up a monitor and get ready to check things out. To my amazement, everything was all in CAPS .... everything from the shell and my keyboard input. It lagged a little when I logged in, so I 'ae' a .conf file and attempt to scroll ..... it's lagging like ssh does (ohhh, now I'm real interested)! I pull up another shell and everything is normal (no lag and the fonts are case-sensitive again). I check 'ps ax' and everything is normal, so I 'svi network reload' and change back to terminal 1. Terminal 1 is back to normal now too. None of my network settings have changed. The box is a DF floppy w/o ssh, IPSec, or telnet. The only hole in the firewall is a portfw to a internal webserver w/o any name resolution on port 81. After resetting the firewall, I got a bunch of port 80 and a couple of port 21 hits. Any idea's .... I'm afraid someone was somehow filtering my shell. Oh, I know the date is borked on the machine .... it's been a low priority. ############# <snip of logs after svi network reload> ################# Feb 25 06:42:10 firewall syslogd 1.3-3#31.slink1: restart. Feb 25 07:38:56 firewall kernel: Packet log: input DENY eth0 PROTO=6 24.94.145.4:4428 24.94.209.18:80 L=44 S=0x00 I=44645 F=0x4000 T=113 SYN (#43) Feb 25 07:38:59 firewall kernel: Packet log: input DENY eth0 PROTO=6 24.94.145.4:4428 24.94.209.18:80 L=44 S=0x00 I=11879 F=0x4000 T=113 SYN (#43) Feb 25 07:40:41 firewall kernel: Packet log: input DENY eth0 PROTO=6 24.94.145.4:3716 24.94.209.18:80 L=44 S=0x00 I=3759 F=0x4000 T=113 SYN (#43) Feb 25 07:40:44 firewall kernel: Packet log: input DENY eth0 PROTO=6 24.94.145.4:3716 24.94.209.18:80 L=44 S=0x00 I=27825 F=0x4000 T=113 SYN (#43) Feb 25 07:51:45 firewall kernel: Packet log: input DENY eth0 PROTO=6 24.94.145.4:4350 24.94.209.18:80 L=44 S=0x00 I=58272 F=0x4000 T=113 SYN (#43) Feb 25 07:51:47 firewall kernel: Packet log: input DENY eth0 PROTO=6 24.94.145.4:4350 24.94.209.18:80 L=44 S=0x00 I=13987 F=0x4000 T=113 SYN (#43) Feb 25 08:06:14 firewall kernel: Packet log: input DENY eth0 PROTO=6 24.94.145.4:2791 24.94.209.18:80 L=44 S=0x00 I=14880 F=0x4000 T=113 SYN (#43) Feb 25 08:06:17 firewall kernel: Packet log: input DENY eth0 PROTO=6 24.94.145.4:2791 24.94.209.18:80 L=44 S=0x00 I=18978 F=0x4000 T=113 SYN (#43) Feb 25 10:16:50 firewall kernel: Packet log: input DENY eth0 PROTO=6 24.94.189.225:1585 24.94.209.18:80 L=48 S=0x00 I=1386 F=0x4000 T=119 SYN (#43) Feb 25 10:16:52 firewall kernel: Packet log: input DENY eth0 PROTO=6 24.94.189.225:1585 24.94.209.18:80 L=48 S=0x00 I=1675 F=0x4000 T=119 SYN (#43) Feb 25 11:13:06 firewall kernel: Packet log: input DENY eth0 PROTO=6 213.73.141.207:4691 24.94.209.18:21 L=48 S=0x00 I=57540 F=0x4000 T=112 SYN (#43) Feb 25 11:13:09 firewall kernel: Packet log: input DENY eth0 PROTO=6 213.73.141.207:4691 24.94.209.18:21 L=48 S=0x00 I=57779 F=0x4000 T=112 SYN (#43) Feb 25 11:13:15 firewall kernel: Packet log: input DENY eth0 PROTO=6 213.73.141.207:4691 24.94.209.18:21 L=48 S=0x00 I=57980 F=0x4000 T=112 SYN (#43) Feb 25 11:20:16 firewall kernel: Packet log: input DENY eth0 PROTO=6 66.51.193.121:3648 24.94.209.18:21 L=48 S=0x00 I=34442 F=0x4000 T=110 SYN (#43) ############### <end of snip> ################################## -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
