Re: [Leaf-user] How not to log a deny'ed packet/ip address
Subject: Re: [Leaf-user] How not to log a deny'ed packet/ip address Date: Fri, 30 Nov 2001 22:16:57 -0600 From: guitarlynn <[EMAIL PROTECTED]> To: "Scott C. Best" <[EMAIL PROTECTED]> On Friday 30 November 2001 17:59, you wrote: > Dachstein handles the log rotation better than ES2B does, > sure. For my liking though, I want the stuff in my log files to > be at least interesting. :) Yes and the ruleset to Dachstein is nice enough that I have to check it with the weblet to understand what is going where. Charles posted the info on the SILENT_DENY option I couldn't figure out. # Traffic to completely ignore...define here to prevent filling your logs # Space seperated list: protocol_srcip/mask_dstport #SILENT_DENY="udp_207.235.84.1_route udp_207.235.84.0/24_37" So you want something like: SILENT_DENY="88_x.y.z.158" I wasn't thinking about the changes in regards to a subnet compared to a host. Something as a commented suggestion would have been much clearer to me, like: #SILENT_DENY="ProtoNumber_SourceAddress/Netmask_DestinationPort" #Netmask and DestinationPort are optional I edited my network.conf file to match these parameter on the web trash, and waalaa it works perfect.! Thanks to all again, Lynn Avants ~Guitalrynn --- -- if linux isn't the answer, you've got the wrong question ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] How not to log a deny'ed packet/ip address
Lynn: Heya. Late suggestion: try either the echowall.lrp package, or cut&paste from the end of the echowall.rules file inside of that package. I built echowall for a 486 with only 16M of RAM that firewalled me from a cable-modem environment. As you prolly know, I had to reboot every week or so as the log files got so hefty. Dachstein handles the log rotation better than ES2B does, sure. For my liking though, I want the stuff in my log files to be at least interesting. :) cheers, Scott > I've got a rogue 10.x.x.x/32 server polling my Dachstein firewall > twice every 16 seconds for a dhcp server and a port 80 scan every > 2 minutes. I can't find any info in the archives and sites about > "dropping" (not logging) these packets when they are deny'ed. > The packets (webtrash) I am looking to stop logging are being > denied by rules 10, 12, and 41. What is the syntax or change > I need to make to quit logging these. > > Other than this, Dachstein is perfect, already surviving two DoS > attacks without a reboot to date. > > Thanks all, > Lynn Avants > [EMAIL PROTECTED] > > -- > if linux isn't the answer, you've got the wrong question ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] How not to log a deny'ed packet/ip address
On Thursday 29 November 2001 08:44, you wrote: > There is a SILENT_DENY setting in network.conf. Extract details of > the packets you don't want logged from your existing log files, and > add them to SILENT_DENY to stop logging them. > > Charles Steinkuehler That wonderful, I've been trying to get the syntax down correctly, but I can't seem to get it right. I did look at the firewall script... it's beyond me to completely understand how it is working with all the variables in this short of a time. Anyway, I have included my log (messages.txt) as an attachment. If someone could help me with the SILENT_DENY line(s) that are needed to block this trash, it would save me countless hours of trial and error here. I've already played with it for about 3 hours with no luck. Thanks again, Lynn Avants ~the dummy! -- if linux isn't the answer, you've got the wrong question
Re: [Leaf-user] How not to log a deny'ed packet/ip address
> Is this available in EigerStein2BETA.exe? I did not see this variable in > the network.conf file. Can I just add it? You can, but it won't work :( The SILENT_DENY variable was initially added as part of my extended scripts, so if you install these, you can use SILENT_DENY...or you could just tack on some rules at the end of ipfilter.conf Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] How not to log a deny'ed packet/ip address
Is this available in EigerStein2BETA.exe? I did not see this variable in the network.conf file. Can I just add it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: Thursday, November 29, 2001 6:45 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] How not to log a deny'ed packet/ip address > I've got a rogue 10.x.x.x/32 server polling my Dachstein firewall > twice every 16 seconds for a dhcp server and a port 80 scan every > 2 minutes. I can't find any info in the archives and sites about > "dropping" (not logging) these packets when they are deny'ed. > The packets (webtrash) I am looking to stop logging are being > denied by rules 10, 12, and 41. What is the syntax or change > I need to make to quit logging these. > > Other than this, Dachstein is perfect, already surviving two DoS > attacks without a reboot to date. There is a SILENT_DENY setting in network.conf. Extract details of the packets you don't want logged from your existing log files, and add them to SILENT_DENY to stop logging them. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] How not to log a deny'ed packet/ip address
> I've got a rogue 10.x.x.x/32 server polling my Dachstein firewall > twice every 16 seconds for a dhcp server and a port 80 scan every > 2 minutes. I can't find any info in the archives and sites about > "dropping" (not logging) these packets when they are deny'ed. > The packets (webtrash) I am looking to stop logging are being > denied by rules 10, 12, and 41. What is the syntax or change > I need to make to quit logging these. > > Other than this, Dachstein is perfect, already surviving two DoS > attacks without a reboot to date. There is a SILENT_DENY setting in network.conf. Extract details of the packets you don't want logged from your existing log files, and add them to SILENT_DENY to stop logging them. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] How not to log a deny'ed packet/ip address
hello lynn it is the option -l which is responsible for the logging. you can redefine a rule like this: ipchains -R input 7 -s 10.0.0.0/8 -j DENY this replaces rule nr. 7 on the input chain. (rule nr. 7 was _my_ rule to deny traffic from 10.0.0.0/8 and log it, i used the above command to replace it.) you can of course decide to be more concious then me and log everything else but your rogue server. in this case you would have to insert a more specific rule ipchains -I input 6 -s 10.1.1.2/32 -j DENY which will silently deny the traffic from that specific server before the more general rule denies it and loggs it. it is impossible to determine the exact commands you would have to issue on your system (i do not use dachstein, so rules 10, 12 and 41 mean nothing to me). generally you should be able to use the same syntax that generated your rules in the first place, just avoiding -l. it is the IPCHAINS-HOWTO (http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-4.html) where more information can be found. there is also a great quick reference: http://users.owt.com/msensney/lrp/ipchains-quickref.pdf >I've got a rogue 10.x.x.x/32 server polling my Dachstein firewall >twice every 16 seconds for a dhcp server and a port 80 scan every >2 minutes. I can't find any info in the archives and sites about >"dropping" (not logging) these packets when they are deny'ed. >The packets (webtrash) I am looking to stop logging are being >denied by rules 10, 12, and 41. What is the syntax or change >I need to make to quit logging these. > >Other than this, Dachstein is perfect, already surviving two DoS >attacks without a reboot to date. > >Thanks all, >Lynn Avants >[EMAIL PROTECTED] > >-- >if linux isn't the answer, you've got the wrong question > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user