Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
Hey again Craig, Nope - the files should be pretty much identical to the ones I showed you except you don't need the text in brackets (port # of any services you run that use ports below 1024 like ssh or ftp or www)- replace that with the port numbers of any services you want to run - i.e. 22 for ssh or 21 for ftp - and don't put the brackets in. If you have more than one service (say you're running ssh and ftp on the default ports) your config would look like this: dst host and tcp[2:2] & 0xfc00 == 0 and not dst port 22 and not dst port 21 The other thing is when you are configuring your options you might want to leave the -v switch out as noted by Steve Jeppesen as it will fill your log partition. As a reference point here is what you probably want as your options for LaBrea (you can get to this file by typing in ae /etc/init.d/LaBrea): OPTIONS="-i eth0 -l -p 8 -z -x -F /etc/LaBrea.bpf" HTH S >From: "Craig Caughlin" <[EMAIL PROTECTED]> >To: "LEAF" <[EMAIL PROTECTED]> >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? >Date: Fri, 1 Mar 2002 06:31:12 -0800 > >Hi folks, >Hey Simon...are you reading this??? -if not, hopefully someone can clarify >something for me. Should I create the two files as suggested in Simon's >earlier message (see below) exactly as he has shown...or is there something >unique about my scenario that I should be substituting when I create these >files? Thank you, have a great weekend!!! > >Craig > >1. Create /etc/LaBrea.in have it contain the following: > >dst host > and tcp[2:2] & 0xfc00 == 0 > and not dst port (port # of any services you run that use ports below >1024 like ssh or ftp or www) > >2. Create /etc/LaBrea.scr it should contain the following: > >#!/bin/sh > >IPADDR=`ip addr list label eth0 | grep inet | \ >sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` > >sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf > > >3. Allow LaBrea.scr to be executable: > >chmod 744 /etc/LaBrea.scr > >4. Edit the dhclient-exit-hooks to with the following changes: > ># Reload networking to see new address >reload_all > >Add a few lines so you have > ># Reload networking to see new address >reload_all >/etc/LaBrea.scr >svi LaBrea stop >svi LaBrea start > >5. Back up dhclient and LaBrea - all done :) > > > > > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
Yes, I have "disabled" or rather stopped logging hits to port 80. That was the first thing I did Saturday after my logs were multipling like rabbits and I had to do something to slow them down! Steve On Thu, 28 Feb 2002 00:34:34 -0500 "Simon Bolduc" <[EMAIL PROTECTED]> wrote: > Steve, > > I long ago stopped logging hits on port 80, and just have them silently > denied - it just made the whole messages file too hard to read - you might > want to consider doing this. > > S > > > > _ > Chat with friends online, try MSN Messenger: http://messenger.msn.com > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
Steve, I long ago stopped logging hits on port 80, and just have them silently denied - it just made the whole messages file too hard to read - you might want to consider doing this. S _ Chat with friends online, try MSN Messenger: http://messenger.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
Hey Craig, Well to answer your first question, ae is the editor you use, just type ae at a command prompt and you should be good, then its just +W to save the file - so you could just type the file name at the prompt /etc/LaBrea.in or whatever the file name is To edit the dhclient-exit-hooks you run lrcfg at a command prompt, then choose options "3) Package Settings", "4) dhclient" (at least its the 4th package on my box), and finally "5) dhclient-exit-hooks" after you're done editing you just hit +Q and type y to save the changes. The easiest way to copy and paste text to your box is to run Putty (at least in a windows environment). You will need to be running SSH to use this. SSH is on your Dachstein CD (assuming you're using the CD version). If you aren't running SSH already here is an (older) document that might help to get you started: http://sourceforge.net/docman/display_doc.php?docid=1441&group_id=13751 you can also check the readme.txt contained on the CD: http://lrp1.steinkuehler.net/files/diskimages/dachstein-CD/README.txt assuming you are running SSH properly and are using putty, just highlite the text you want (from the email), right click on it and choose copy. Then to paste it into the putty window right click on the window - and it automagically gets typed in. Putty tends to mess tabs up tho - so you may have some deleting to do. Putty is available here: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html HTH S >From: "Craig Caughlin" <[EMAIL PROTECTED]> >To: "LEAF" <[EMAIL PROTECTED]> >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? >Date: Wed, 27 Feb 2002 11:26:36 -0800 > >Thank you Simon and Lynn for the responses. Unfortunately, I don't quite >understand it all (I've taken a college class on Linux because I really >enjoy this stuff, but please bear with my ignorance as I learn :-) ). 1.) >First, how do I create the /etc/LaBrea.in that you refer to, and how do I >create the /etc/LaBrea.scr. Do I do that from the command prompt of DCD by >using the ae editor? 2.) How do I "edit the dhclient-exit-hooks to"? Is >that >in the network.conf file or ??? Thank you for your help, have a great >day!!! > >Craig > >P.S. How do you copy and paste with Dachstein? > > > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _ Send and receive Hotmail on your mobile device: http://mobile.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
I have to say - Simon, along with Charles posted on the list about a week ago and this is how I set mine up last week. I did pretty much the same thing Simon posted, except I took out the v (Verbosely log activity to syslog) out of the OPTIONS=" and I disabled logging on port 80 - My ramdisk was pushing 98% capacity in a matter of a few hours! #1 Seems LaBrea is working just fine, too good actually because it is drawing in some active port scanning as well, just increases after they realized something (LaBrea) answered them back. could just change and tcp[2:2] & 0xfc00 == 0 in /etc/LaBrea.bpf to read tcp dst port 80 or 21) however I think I would rather just keep it the way it is. #2 It would work even better - say that when any IP that gets teergrubed LaBrea (or some other package?) could run a small script to stop logging anything else to do with that IP.. Feb 27 05:44:12 firewall /usr/sbin/LaBrea: Teergrubing: 80.13.85.237 4427 -> 24.118.176.41 21 preferably I would not want this to show up in the log after the previous msg; Feb 27 05:44:12 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=15884 F=0x4000 T=25 (#67) Feb 27 05:44:17 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16298 F=0x4000 T=25 (#67) Feb 27 05:44:20 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16508 F=0x4000 T=25 (#67) Feb 27 05:44:26 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16875 F=0x4000 T=25 (#67) On Wed, 27 Feb 2002 11:14:28 -0500 Now with the changes I made, and uptime is over three days; Uptime: 12:46:30 up 3 Days (94h), load average: 0.16 0.03 0.01 my ramdisk is fine; /dev/ram1 4049 359 3690 9% /var/log That I can live with. Thanks again to all your help! Steve "Simon Bolduc" <[EMAIL PROTECTED]> wrote: > This is from the mailing list (modified slightly) - it is a little script > that greps your external IP and reconfigures LaBrea on an IP change: > > 1. Create /etc/LaBrea.in have it contain the following: > > dst host > and tcp[2:2] & 0xfc00 == 0 > and not dst port (port # of any services you run that use ports below > 1024 like ssh or ftp or www) > > 2. Create /etc/LaBrea.scr it should contain the following: > > #!/bin/sh > > IPADDR=`ip addr list label eth0 | grep inet | \ > sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` > > sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf > > > 3. Allow LaBrea.scr to be executable: > > chmod 744 /etc/LaBrea.scr > > 4. Edit the dhclient-exit-hooks to with the following changes: > > # Reload networking to see new address >reload_all > > Add a few lines so you have > > # Reload networking to see new address >reload_all >/etc/LaBrea.scr >svi LaBrea stop >svi LaBrea start > > 5. Back up dhclient and LaBrea - all done :) > > Just so you know the filter will block all ports below 1024 (which are the > ports that are normally denied automatically by Dachstein), make sure you > aren't running any services on those ports - or alter the bpf accordingly. > If you only have one IP address like I do here are the options that I use to > make sure my box doesn't proactively look for unused IPs (contained in the > LaBrea startup script): > > OPTIONS="-i eth0 -l -v -p 8 -z -x -F /etc/LaBrea.bpf" > > > Also everything is case sensitive in Linux - thus labrea and LaBrea are two > totally different words to the OS - so make sure you are typing things > correctly. You may just want to cut and paste. > > > HTH > S > > > > >From: "Craig Caughlin" <[EMAIL PROTECTED]> > >To: "LEAF" <[EMAIL PROTECTED]> > >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? > >Date: Wed, 27 Feb 2002 07:33:33 -0800 > > > >Hi folks, > >I'm confused (what else is new :-) ). Will LaBrea work with the "default" > >Dachstein CD (which acts as both a DHCP client & Server)? or would I need > >to > >change DCD for static addresses? I have my generic, Dachstein CD working > >O.K., and would like to incorporate LaBrea...but I can't seem to figure out > >if it will work with the default DCD. Thank you, have a great day! > > > >Craig > > > > > > > >___ > >Leaf-user mailing list > >[EMAIL PROTECTED] > >https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > > _ > Join the worlds largest e-mail service with MSN Hotmail. > http://www.hotmail.com > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
The reason I have the verbose logging is because I remotely log the information and generate a web page that lists the time frames I was hit by an IP and how many packets have been sent to me by each IP. I suppose I should have left that out - as I have to reset my log files every 2 hours or so. :) Oops Simon >From: Steve Jeppesen <[EMAIL PROTECTED]> >To: "Simon Bolduc" <[EMAIL PROTECTED]>, leaf-user ><[EMAIL PROTECTED]> >Subject: Re: [Leaf-user] Will LaBrea work with dynamic IP addresses? >Date: Wed, 27 Feb 2002 12:50:36 -0600 > >I have to say - Simon, along with Charles posted on the list about a week >ago >and this is how I set mine up last week. I did pretty much the same thing >Simon posted, except I took out the v (Verbosely log activity to syslog) >out of the OPTIONS=" and I disabled logging on port 80 - My ramdisk was >pushing 98% capacity in a matter of a few hours! > > #1 Seems LaBrea is working just fine, too good actually because it is >drawing >in some active port scanning as well, just increases after they >realized something (LaBrea) answered them back. > >could just change > and tcp[2:2] & 0xfc00 == 0 in /etc/LaBrea.bpf >to read > tcp dst port 80 or 21) >however I think I would rather just keep it the way it is. > > #2 It would work even better - say that when any IP that gets teergrubed >LaBrea (or some other package?) could run a small script to stop logging >anything else to do with >that IP.. > >Feb 27 05:44:12 firewall /usr/sbin/LaBrea: Teergrubing: 80.13.85.237 4427 >-> 24.118.176.41 21 > >preferably I would not want this to show up in the log after the previous >msg; > >Feb 27 05:44:12 firewall kernel: Packet log: input DENY eth0 PROTO=6 >80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=15884 F=0x4000 T=25 (#67) >Feb 27 05:44:17 firewall kernel: Packet log: input DENY eth0 PROTO=6 >80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16298 F=0x4000 T=25 (#67) >Feb 27 05:44:20 firewall kernel: Packet log: input DENY eth0 PROTO=6 >80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16508 F=0x4000 T=25 (#67) >Feb 27 05:44:26 firewall kernel: Packet log: input DENY eth0 PROTO=6 >80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16875 F=0x4000 T=25 (#67) > >On Wed, 27 Feb 2002 11:14:28 -0500 > >Now with the changes I made, and uptime is over three days; >Uptime: > 12:46:30 up 3 Days (94h), load average: 0.16 0.03 0.01 > >my ramdisk is fine; >/dev/ram1 4049 359 3690 9% /var/log > >That I can live with. > >Thanks again to all your help! >Steve > >"Simon Bolduc" <[EMAIL PROTECTED]> wrote: > > > This is from the mailing list (modified slightly) - it is a little >script > > that greps your external IP and reconfigures LaBrea on an IP change: > > > > 1. Create /etc/LaBrea.in have it contain the following: > > > > dst host > > and tcp[2:2] & 0xfc00 == 0 > > and not dst port (port # of any services you run that use ports >below > > 1024 like ssh or ftp or www) > > > > 2. Create /etc/LaBrea.scr it should contain the following: > > > > #!/bin/sh > > > > IPADDR=`ip addr list label eth0 | grep inet | \ > > sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` > > > > sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf > > > > > > 3. Allow LaBrea.scr to be executable: > > > > chmod 744 /etc/LaBrea.scr > > > > 4. Edit the dhclient-exit-hooks to with the following changes: > > > > # Reload networking to see new address > >reload_all > > > > Add a few lines so you have > > > > # Reload networking to see new address > >reload_all > >/etc/LaBrea.scr > >svi LaBrea stop > >svi LaBrea start > > > > 5. Back up dhclient and LaBrea - all done :) > > > > Just so you know the filter will block all ports below 1024 (which are >the > > ports that are normally denied automatically by Dachstein), make sure >you > > aren't running any services on those ports - or alter the bpf >accordingly. > > If you only have one IP address like I do here are the options that I >use to > > make sure my box doesn't proactively look for unused IPs (contained in >the > > LaBrea startup script): > > > > OPTIONS="-i eth0 -l -v -p 8 -z -x -F /etc/LaBrea.bpf" > > > > > > Also everything is case sensitive in Linux - thus labrea and LaBrea are >two > > totally different words to the OS - so make sure you are typing things > > correctly. You may just want to cut an
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
On Wednesday 27 February 2002 10:14, Simon Bolduc wrote: > 2. Create /etc/LaBrea.scr it should contain the following: > > #!/bin/sh > > IPADDR=`ip addr list label eth0 | grep inet | \ > sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` > > sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf Nice script. If you want something Dachstein specific that takes the external ip addy and service ports from /etc/network.conf let me know. It would eliminate the need to enter these ports twice in the config. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
This is from the mailing list (modified slightly) - it is a little script that greps your external IP and reconfigures LaBrea on an IP change: 1. Create /etc/LaBrea.in have it contain the following: dst host and tcp[2:2] & 0xfc00 == 0 and not dst port (port # of any services you run that use ports below 1024 like ssh or ftp or www) 2. Create /etc/LaBrea.scr it should contain the following: #!/bin/sh IPADDR=`ip addr list label eth0 | grep inet | \ sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf 3. Allow LaBrea.scr to be executable: chmod 744 /etc/LaBrea.scr 4. Edit the dhclient-exit-hooks to with the following changes: # Reload networking to see new address reload_all Add a few lines so you have # Reload networking to see new address reload_all /etc/LaBrea.scr svi LaBrea stop svi LaBrea start 5. Back up dhclient and LaBrea - all done :) Just so you know the filter will block all ports below 1024 (which are the ports that are normally denied automatically by Dachstein), make sure you aren't running any services on those ports - or alter the bpf accordingly. If you only have one IP address like I do here are the options that I use to make sure my box doesn't proactively look for unused IPs (contained in the LaBrea startup script): OPTIONS="-i eth0 -l -v -p 8 -z -x -F /etc/LaBrea.bpf" Also everything is case sensitive in Linux - thus labrea and LaBrea are two totally different words to the OS - so make sure you are typing things correctly. You may just want to cut and paste. HTH S >From: "Craig Caughlin" <[EMAIL PROTECTED]> >To: "LEAF" <[EMAIL PROTECTED]> >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? >Date: Wed, 27 Feb 2002 07:33:33 -0800 > >Hi folks, >I'm confused (what else is new :-) ). Will LaBrea work with the "default" >Dachstein CD (which acts as both a DHCP client & Server)? or would I need >to >change DCD for static addresses? I have my generic, Dachstein CD working >O.K., and would like to incorporate LaBrea...but I can't seem to figure out >if it will work with the default DCD. Thank you, have a great day! > >Craig > > > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user