The reason I have the verbose logging is because I remotely log the information and generate a web page that lists the time frames I was hit by an IP and how many packets have been sent to me by each IP. I suppose I should have left that out - as I have to reset my log files every 2 hours or so..... :)
Oops Simon >From: Steve Jeppesen <[EMAIL PROTECTED]> >To: "Simon Bolduc" <[EMAIL PROTECTED]>, leaf-user ><[EMAIL PROTECTED]> >Subject: Re: [Leaf-user] Will LaBrea work with dynamic IP addresses? >Date: Wed, 27 Feb 2002 12:50:36 -0600 > >I have to say - Simon, along with Charles posted on the list about a week >ago >and this is how I set mine up last week. I did pretty much the same thing >Simon posted, except I took out the v (Verbosely log activity to syslog) >out of the OPTIONS=" and I disabled logging on port 80 - My ramdisk was >pushing 98% capacity in a matter of a few hours! > > #1 Seems LaBrea is working just fine, too good actually because it is >drawing >in some active port scanning as well, just increases after they >realized something (LaBrea) answered them back. > >could just change > and tcp[2:2] & 0xfc00 == 0 in /etc/LaBrea.bpf >to read > tcp dst port 80 or 21) >however I think I would rather just keep it the way it is. > > #2 It would work even better - say that when any IP that gets teergrubed >LaBrea (or some other package?) could run a small script to stop logging >anything else to do with >that IP.. > >Feb 27 05:44:12 firewall /usr/sbin/LaBrea: Teergrubing: 80.13.85.237 4427 >-> 24.118.176.41 21 > >preferably I would not want this to show up in the log after the previous >msg; > >Feb 27 05:44:12 firewall kernel: Packet log: input DENY eth0 PROTO=6 >80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=15884 F=0x4000 T=25 (#67) >Feb 27 05:44:17 firewall kernel: Packet log: input DENY eth0 PROTO=6 >80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16298 F=0x4000 T=25 (#67) >Feb 27 05:44:20 firewall kernel: Packet log: input DENY eth0 PROTO=6 >80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16508 F=0x4000 T=25 (#67) >Feb 27 05:44:26 firewall kernel: Packet log: input DENY eth0 PROTO=6 >80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16875 F=0x4000 T=25 (#67) > >On Wed, 27 Feb 2002 11:14:28 -0500 > >Now with the changes I made, and uptime is over three days; >Uptime: > 12:46:30 up 3 Days (94h), load average: 0.16 0.03 0.01 > >my ramdisk is fine; >/dev/ram1 4049 359 3690 9% /var/log > >That I can live with. > >Thanks again to all your help! >Steve > >"Simon Bolduc" <[EMAIL PROTECTED]> wrote: > > > This is from the mailing list (modified slightly) - it is a little >script > > that greps your external IP and reconfigures LaBrea on an IP change: > > > > 1. Create /etc/LaBrea.in have it contain the following: > > > > dst host <IPADDR> > > and tcp[2:2] & 0xfc00 == 0 > > and not dst port (port # of any services you run that use ports >below > > 1024 like ssh or ftp or www) > > > > 2. Create /etc/LaBrea.scr it should contain the following: > > > > #!/bin/sh > > > > IPADDR=`ip addr list label eth0 | grep inet | \ > > sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` > > > > sed "s/<IPADDR>/$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf > > > > > > 3. Allow LaBrea.scr to be executable: > > > > chmod 744 /etc/LaBrea.scr > > > > 4. Edit the dhclient-exit-hooks to with the following changes: > > > > # Reload networking to see new address > > reload_all > > > > Add a few lines so you have > > > > # Reload networking to see new address > > reload_all > > /etc/LaBrea.scr > > svi LaBrea stop > > svi LaBrea start > > > > 5. Back up dhclient and LaBrea - all done :) > > > > Just so you know the filter will block all ports below 1024 (which are >the > > ports that are normally denied automatically by Dachstein), make sure >you > > aren't running any services on those ports - or alter the bpf >accordingly. > > If you only have one IP address like I do here are the options that I >use to > > make sure my box doesn't proactively look for unused IPs (contained in >the > > LaBrea startup script): > > > > OPTIONS="-i eth0 -l -v -p 80000 -z -x -F /etc/LaBrea.bpf" > > > > > > Also everything is case sensitive in Linux - thus labrea and LaBrea are >two > > totally different words to the OS - so make sure you are typing things > > correctly. You may just want to cut and paste. > > > > > > HTH > > S > > > > > > > > >From: "Craig Caughlin" <[EMAIL PROTECTED]> > > >To: "LEAF" <[EMAIL PROTECTED]> > > >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? > > >Date: Wed, 27 Feb 2002 07:33:33 -0800 > > > > > >Hi folks, > > >I'm confused (what else is new :-) ). Will LaBrea work with the >"default" > > >Dachstein CD (which acts as both a DHCP client & Server)? or would I >need > > >to > > >change DCD for static addresses? I have my generic, Dachstein CD >working > > >O.K., and would like to incorporate LaBrea...but I can't seem to figure >out > > >if it will work with the default DCD. Thank you, have a great day! > > > > > >Craig > > > > > > > > > > > >_______________________________________________ > > >Leaf-user mailing list > > >[EMAIL PROTECTED] > > >https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > > > > > > > _________________________________________________________________ > > Join the world’s largest e-mail service with MSN Hotmail. > > http://www.hotmail.com > > > > > > _______________________________________________ > > Leaf-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
