I check /var/log/messages regularly and find this:
Nov 19 21:32:51 c896765-a kernel: IN=eth0 IN=eth0 OUT=
MAC=00:a0:24:ba:75:64:00:03:6c:48:88:8c:08:00 SRC=65.1.121.18
DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=12729 DF PROTO=TCP
SPT=3184 DPT=27374 WINDOW=8192 RES=0x00 SYN URGP=0
Now, if I'm reading this correctly and with the help of the Netfilter log
analyzer; I think I am. The log entry is telling me that I received a
packet scanning for some form of the Sub-7 Trojan horse from 65.1.121.18
with a MAC address of 00:03:6c:48:88:8c. I've got other entries some
identical, some differing on the port, some differing on the IP but for all
of them the MAC address is the same. Would the correct way to block this
script-kiddie be something like this?
iptables -A INPUT --mac-source 00:03:6c:48:88:8c -j DROP
If it helps; I'm running Red Hat 7.2 (using iptables) with all the updates
loaded via up2date and the Linux box acts as my router for the other
computers in the house.
Network Setup
Cable modem
|
Linux server
|
Hub
__|____________
| | |
Box 1 Box 2 Box 3
If further information is required to solve this; please let me know.
Mark McKibben [EMAIL PROTECTED]
http://www.avalon.net/~manzabar
ICQ# 8476502
Experience is that marvelous thing that enables you recognize a mistake
when you make it again.
- Unknown
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
