Joey, My two cents worth: log files are good, the more the better, it just a matter of how to manage them. I have my firewall (and HP Unix box, 2 Red Hat servers and even a couple NT) doing a remote syslog to an internal RedHat box, then logcheck runs every 15 minutes. Logcheck for anything out of the ordinary and e-mail it to me. Most of the e-mail contain nothing to be concerned about, but it allows me to be aware.
Let this stuff go into the logs, then use a logcheck program to alert you to the stuff that you really need to pay attention to. And occasionally, audit the regular logs just to make sure your log check rules are doing what you intended them to do. Michael Message: 9 Date: Wed, 29 Jan 2003 08:16:34 -0800 To: <[EMAIL PROTECTED]> From: Ray Olszewski <[EMAIL PROTECTED]> Subject: Re: [leaf-user] tracing spoofed IPs? At 09:51 AM 1/29/03 -0600, Joey Officer wrote: >I'm not sure if that topic is adequate, but here goes. > >I'm sick of my logs filling up with various IPs all trying to hit various >ports. I know I can put the silent deny up and it won't fill up the log any >more, but is there a more defensive approach that can be taken? Is there a >way to trace what appear to be spoofed IP addresses. I've got about a >million of the following entry in my logs > >Jan 29 11:23:47 firewall kernel: Packet log: input DENY eth0 PROTO=17 >10.51.192.1:67 255.255.255.255:68 L=350 S=0x00 I=25217 F=0x0000 T=255 (#8) > >I know the 10.x.x.x is for private use, so its obviously not a real IP. But >is there a way to 'answer' the request in order to get more information from >the offending computer to advise the admins and see if they can do something >about it? Unless your ISP actually uses that address range on your external interface, there should be no way to " 'answer' the request ". That's why the addresses are called "private" -- the standards call for them to be unroutable on the public Internet. But while they are often called "not real" colloquially, they in fact can be perfectly "real", in that they are used by actual machines on NAT'd LANs. Since they involve source port 67 and broadcast traffic (at least your example does), it's a good guess that this traffic comes from other users of your ISP who do not have their routers (or, possbily, their LAN broadcast addresses) set properly, causing the incessant chatter of Windows PCs with file-sharing enabled to leak off the LAN. If this guess is right, then the source addresses are not spoofed; they are real machines on NAT'd LANs that have misconfigured routers. (Old saying: "Never attribute to malice that which can be adequately explained by incompetence.") Of course, this comment only applies to the example log entry you chose; your general question about "various IPs all trying to hit various ports" is too vague to answer in the form posed. Some knowledge of the actual addresses and ports involved is required. (And there *is* another old saying: "Never attribute to incompetence that which can be adequately explained by malice.") -- -------------------------------------------"Never tell me the odds!"-------- Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] ---------------------------------------------------------------------------- --- THE INFORMATION CONTAINED IN THIS E-MAIL IS CONFIDENTIAL AND INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS ADDRESSED. IF YOU ARE NOT THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY USE, DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS PROHIBITED. IF YOU HAVE RECEIVED THIS E-MAIL IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY RETURN E-MAIL OR CALL VALLEY MEDICAL CENTER, PLLC AT 1-888-884-4155, EXT 6203 AND DELETE THIS E-MAIL, ANY ATTACHMENTS, AND ALL COPIES. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
