I check /var/log/messages regularly and find this: Nov 19 21:32:51 c896765-a kernel: IN=eth0 IN=eth0 OUT= MAC=00:a0:24:ba:75:64:00:03:6c:48:88:8c:08:00 SRC=65.1.121.18 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=12729 DF PROTO=TCP SPT=3184 DPT=27374 WINDOW=8192 RES=0x00 SYN URGP=0
Now, if I'm reading this correctly and with the help of the Netfilter log analyzer; I think I am. The log entry is telling me that I received a packet scanning for some form of the Sub-7 Trojan horse from 65.1.121.18 with a MAC address of 00:03:6c:48:88:8c. I've got other entries some identical, some differing on the port, some differing on the IP but for all of them the MAC address is the same. Would the correct way to block this script-kiddie be something like this? iptables -A INPUT --mac-source 00:03:6c:48:88:8c -j DROP If it helps; I'm running Red Hat 7.2 (using iptables) with all the updates loaded via up2date and the Linux box acts as my router for the other computers in the house. Network Setup Cable modem | Linux server | Hub __|____________ | | | Box 1 Box 2 Box 3 If further information is required to solve this; please let me know. Mark McKibben [EMAIL PROTECTED] http://www.avalon.net/~manzabar ICQ# 8476502 Experience is that marvelous thing that enables you recognize a mistake when you make it again. - Unknown _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list