[PLUG] quickie iptables log scan scripts
mikeraz at patch.com
mikeraz at patch.com
Sat Jun 1 13:53:36 UTC 2002
On Wed, May 22, 2002 at 10:29:00AM -0700, Paul Heinlein typed:
> With all the reports of that SQL Server script the kiddiez are using
> these days -- and the continued Code Red scans that hit my box -- I'd
> thought I'd whip up a couple little tools to give me some stats.
> [snip]
Another iptables tip:
Consider adding two chains to your installation called log-accept and log-deny
like:
iptables -N log-accept
iptables -A log-accept -j LOG --log-prefix "FIREWALL-ID-ACCEPT: " --log-level 6
iptables -A log-accept -j ACCEPT
iptables -N log-deny
iptables -A log-deny -j LOG --log-prefix "FIREWALL-ID-DENY: " --log-level 6
iptables -A log-deny -j DROP
Followup with replacing all '-j ACCEPT' and '-j DENY' with '-j log-accept' and
'-j log-deny'
Then `grep ACCEPT: | <one of Paul's scripts | other usefule script>` and check
for unexpected traffic from a misplaced or misformed rule. Or `grep DENY | ...`
to search for traffic inadvertently being dropped.
In a business setting this will also allow you to quickly and authoritatively
determine if someone's Internet problem is firewall related. Not that anyone
every blames the network for a machine configuration error or other problem. :)
--
Michael Rasmussen aka mikeraz
Be appropriate && Follow your curiosity
"They that give up essential liberty to obtain
temporary safety, deserve neither liberty nor safety."
-- Benjamin Franklin
and the fortune cookie says:
There are few people more often in the wrong than those who cannot endure
to be thought so.
More information about the PLUG
mailing list