Forgot to include the list... sorry! -------- Original Message --------
Hi Alex, > I'm trying to understand my LEAF log files better. Feel free to point > me at docs or other things I should be reading. As already pointed out on this list, Echogent Systems (http://www.echogent.com/cgi-bin/fwlog.pl) has a nice service that can help you understand things going on. They describe the potential threat and give some up-to-the-point advice too... Besides that, in the LEAF documentation, there's also a document that helps you understand what you see in your logs: http://sourceforge.net/docman/display_doc.php?docid=2459&group_id=13751. In the LEAF documentation section, there are other docs too that should get your attention. > My DachStein firewall is dying every so often (once every few weeks) > and I am wondering whether there is some DoS attack going on - or more > likely just dodgy hardware. Could be a memory thing... your logs could fill up your ramdisk or something like that. > I had to reboot my DachStein machine yesterday but afterwards got > this.... > Is this someone doing a port scan? It looks like they are only trying > a few ports... Well, it surely seems someone is trying hard to get in on ports 23 (telnet), 21 (ftp) and even 22 (ssh), and always in that order. Now, something interesting is the source address that this request comes from... "dig -x 194.84.34.34" learns us this: ; <<>> DiG 9.2.0rc3 <<>> -x 194.84.34.34 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15997 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;34.34.84.194.in-addr.arpa. IN PTR ;; ANSWER SECTION: 34.34.84.194.in-addr.arpa. 3600 IN PTR relay.wtc-ural.ru. ;; AUTHORITY SECTION: 34.84.194.in-addr.arpa. 3600 IN NS exchange.wtc-ural.ru. 34.84.194.in-addr.arpa. 3600 IN NS ns.rosprint.net. 34.84.194.in-addr.arpa. 3600 IN NS ns2.rosprint.net. ;; ADDITIONAL SECTION: exchange.wtc-ural.ru. 3600 IN A 194.84.34.33 ns.rosprint.net. 6524 IN A 193.232.88.17 ns2.rosprint.net. 6524 IN A 194.84.23.125 The interesting part is somewhere in the middle, in the "ANSWER SECTION". It tells you the source is some machine in Russia from the domain wtc-ural.ru. So, what you *could* do is warn the system administrator of this domain that someone in his domain is doing things he really shouldn't... you can use tools like "dig" and "whois" to get as much info as possible on the domain and its responsible people. Anyhow, you shouldn't be too afraid, since the packet log your firewall produced indicates that these packets did not harm you, since they were stopped. If this kind of scanning really happens a lot and could be the cause of filling up your ramdisk, you could consider a number of options: * buy some more RAM, to make a bigger ramdisk ;-) * install "portsentry" or "snort" (there are .LRP of these hanging around). These will detect port scans in real time and warn you as well as locking the sources of these attacks out > Presumably restarting syslogd is normal since it has to rotate the logs? > > :: messages :: > Mar 10 06:42:07 firewall syslogd 1.3-3#31.slink1: restart. > Mar 10 06:47:03 firewall syslogd 1.3-3#31.slink1: restart. > Mar 10 09:38:42 firewall -- MARK -- Indeed. And the MARK is generated if there were no messages during a certain period, so that you know the syslog deamon did not die (or get killed). Hope this helps! Robert Sprockeels _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
