[leaf-user] (no subject)
Joey, My two cents worth: log files are good, the more the better, it just a matter of how to manage them. I have my firewall (and HP Unix box, 2 Red Hat servers and even a couple NT) doing a remote syslog to an internal RedHat box, then logcheck runs every 15 minutes. Logcheck for anything out of the ordinary and e-mail it to me. Most of the e-mail contain nothing to be concerned about, but it allows me to be aware. Let this stuff go into the logs, then use a logcheck program to alert you to the stuff that you really need to pay attention to. And occasionally, audit the regular logs just to make sure your log check rules are doing what you intended them to do. Michael Message: 9 Date: Wed, 29 Jan 2003 08:16:34 -0800 To: [EMAIL PROTECTED] From: Ray Olszewski [EMAIL PROTECTED] Subject: Re: [leaf-user] tracing spoofed IPs? At 09:51 AM 1/29/03 -0600, Joey Officer wrote: I'm not sure if that topic is adequate, but here goes. I'm sick of my logs filling up with various IPs all trying to hit various ports. I know I can put the silent deny up and it won't fill up the log any more, but is there a more defensive approach that can be taken? Is there a way to trace what appear to be spoofed IP addresses. I've got about a million of the following entry in my logs Jan 29 11:23:47 firewall kernel: Packet log: input DENY eth0 PROTO=17 10.51.192.1:67 255.255.255.255:68 L=350 S=0x00 I=25217 F=0x T=255 (#8) I know the 10.x.x.x is for private use, so its obviously not a real IP. But is there a way to 'answer' the request in order to get more information from the offending computer to advise the admins and see if they can do something about it? Unless your ISP actually uses that address range on your external interface, there should be no way to 'answer' the request . That's why the addresses are called private -- the standards call for them to be unroutable on the public Internet. But while they are often called not real colloquially, they in fact can be perfectly real, in that they are used by actual machines on NAT'd LANs. Since they involve source port 67 and broadcast traffic (at least your example does), it's a good guess that this traffic comes from other users of your ISP who do not have their routers (or, possbily, their LAN broadcast addresses) set properly, causing the incessant chatter of Windows PCs with file-sharing enabled to leak off the LAN. If this guess is right, then the source addresses are not spoofed; they are real machines on NAT'd LANs that have misconfigured routers. (Old saying: Never attribute to malice that which can be adequately explained by incompetence.) Of course, this comment only applies to the example log entry you chose; your general question about various IPs all trying to hit various ports is too vague to answer in the form posed. Some knowledge of the actual addresses and ports involved is required. (And there *is* another old saying: Never attribute to incompetence that which can be adequately explained by malice.) -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA[EMAIL PROTECTED] --- THE INFORMATION CONTAINED IN THIS E-MAIL IS CONFIDENTIAL AND INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS ADDRESSED. IF YOU ARE NOT THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY USE, DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS PROHIBITED. IF YOU HAVE RECEIVED THIS E-MAIL IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY RETURN E-MAIL OR CALL VALLEY MEDICAL CENTER, PLLC AT 1-888-884-4155, EXT 6203 AND DELETE THIS E-MAIL, ANY ATTACHMENTS, AND ALL COPIES. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] tcpdump of blocked packets?
Here's one source: http://leaf.sourceforge.net/devel/thc/files/kwarchive/ I did a quick search on google for psentry.lrp Google is good :) Michael -Original Message- From: Matt Russell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 26, 2002 11:07 AM To: Michael Bacon; [EMAIL PROTECTED] Subject: RE: [leaf-user] tcpdump of blocked packets? where can the port sentry .lrp be obtained? TIA, matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Bacon Sent: Monday, November 25, 2002 11:18 AM To: [EMAIL PROTECTED] Subject: [leaf-user] tcpdump of blocked packets? I'm using port sentry on my LRP box. The otherday it blocked someone attempting to access port 1080 (not used), then port 25(redirect to our mail server). He came back the next day and tried port 25 again, but he was still blocked by the firewall rules. I thought I read somewhere there is a way to capture via tcpdump some of the packet information and write it to a file or syslog when a packet is dropped. Is this possible? Can someone point me in a direction for research? I'm feeling uneasy that I don't know what this person was/is attempting. Thank you in advance. Michael Bacon [EMAIL PROTECTED] Network Admin. Valley Medical Center, PPLC THE INFORMATION CONTAINED IN THIS E-MAIL IS CONFIDENTIAL AND INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS ADDRESSED. IF YOU ARE NOT THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY USE, DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS PROHIBITED. IF YOU HAVE RECEIVED THIS E-MAIL IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY RETURN E-MAIL OR CALL VALLEY MEDICAL CENTER, PLLC AT 1-888-884-4155, EXT 6203 AND DELETE THIS E-MAIL, ANY ATTACHMENTS, AND ALL COPIES. --- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html THE INFORMATION CONTAINED IN THIS E-MAIL IS CONFIDENTIAL AND INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS ADDRESSED. IF YOU ARE NOT THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY USE, DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS PROHIBITED. IF YOU HAVE RECEIVED THIS E-MAIL IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY RETURN E-MAIL OR CALL VALLEY MEDICAL CENTER, PLLC AT 1-888-884-4155, EXT 6203 AND DELETE THIS E-MAIL, ANY ATTACHMENTS, AND ALL COPIES. --- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] tcpdump of blocked packets?
I'm using port sentry on my LRP box. The otherday it blocked someone attempting to access port 1080 (not used), then port 25(redirect to our mail server). He came back the next day and tried port 25 again, but he was still blocked by the firewall rules. I thought I read somewhere there is a way to capture via tcpdump some of the packet information and write it to a file or syslog when a packet is dropped. Is this possible? Can someone point me in a direction for research? I'm feeling uneasy that I don't know what this person was/is attempting. Thank you in advance. Michael Bacon [EMAIL PROTECTED] Network Admin. Valley Medical Center, PPLC THE INFORMATION CONTAINED IN THIS E-MAIL IS CONFIDENTIAL AND INTENDED ONLY FOR THE USE OF THE INDIVIDUAL TO WHOM IT IS ADDRESSED. IF YOU ARE NOT THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY USE, DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS PROHIBITED. IF YOU HAVE RECEIVED THIS E-MAIL IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY RETURN E-MAIL OR CALL VALLEY MEDICAL CENTER, PLLC AT 1-888-884-4155, EXT 6203 AND DELETE THIS E-MAIL, ANY ATTACHMENTS, AND ALL COPIES. --- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
