I had a very similar problem, I wrote a few scripts to handle the problem automatically. I call it dnyports. the script (runs on a cron) will scan your /var/log/messages log file and look for DENY or REJECT and if it finds one it will write a rule to DENY without logging. The rule is written to the specific ip address AND port number. The script also keeps a running list of addresses/ports and keeps a counter that will self adjust to the number of deny/rejects in the messages log file. The script also strips out duplicate addresses/ports. I have a companion script I run on a cron to wipe the running list file so I do not have stagnate addresses. which is helpfull if addresses come from a dialup. I also wrote scripts that will create a graph 'on the fly' of addresses/ports that have been denied, this I called ip-graph. I made this into a package (ip-graph.lrp) this package replaces the existing weblet (and its support files). Give them a look at http://www.vette66.com I have been using them for about 2-3 months now and they are working quite well. I am not bothered with the port 53 stuff as well as other ports. Vette66 (chuck) ----- Original Message ----- From: "Julian Church" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 09, 2002 10:38 AM Subject: [leaf-user] TCP port 53 floods - alternative to SILENT_DENY
> I know the subject of floods on tcp port 53 have been covered before at > length, so I'll try to keep this brief. > > At the moment I'm using the SILENT_DENY variable to list the usual source > IP's of these harmless nuisance packets and so keep them out of my > logs. It works, but it generates a lot of rules and every so often new > IP's start emitting these packets, so then I have to fiddle about and bring > the SILENT_DENY list up to date. > > Instead, is there any harm in me just inserting a single rule at the > beginning of the input chain, to silently DENY all tcp port 53 packets that > arrive at my external interface? > > It seems like a neater, more convenient way of doing things to me, but I'm > still worried there might be a catch. Could anyone in the know comment? > > many thanks > > Julian Church > > -- > [EMAIL PROTECTED] > www.ljchurch.co.uk > > > _______________________________________________________________ > > Have big pipes? SourceForge.net is looking for download mirrors. We supply > the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] > > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
