On Tue, Jan 23, 2001 at 11:45:28AM -0500, Gord Mc . Pherson wrote: > Hi, > > Perhaps 'iptraf' or 'netwatch' (both available on freshmeat) and 'netstat' > could be used to identify what/who is generating the traffic on your system. > I'd also concur with a previous comment about 'portsentry', since it's > possible to spoof an address and have portsentry block it.. it there for > becomes an effective tool for a hacker to use as a DoS. For example, I could > find out what your ISP's DNS servers are, spoof those addresses and have your > portsentry block them. This would cut you off from the net until you manually > corrected it.
Ipchains (and I would assume iptables) has a log feature that will log any packets that hit any rule with a -l in it, for instance, here was a guy trying ftp: Jan 18 15:21:00 marvin kernel: Packet log: input DENY eth1 PROTO=6 213.51.164.222:3336 24.14.189.245:21 L=48 S=0x00 I=15284 F=0x4000 T=117 SYN (#9) Jan 18 15:21:03 marvin kernel: Packet log: input DENY eth1 PROTO=6 213.51.164.222:3336 24.14.189.245:21 L=48 S=0x00 I=15347 F=0x4000 T=118 SYN (#9) another trying sunrpc: Jan 18 22:16:10 marvin kernel: Packet log: input REJECT eth1 PROTO=6 211.116.51.17:2100 24.14.189.245:111 L=60 S=0x00 I=33380 F=0x4000 T=51 SYN (#13) yet another trying DNS (comming from another dns server, hrmm) Jan 23 03:43:00 marvin kernel: Packet log: input DENY eth1 PROTO=6 148.235.3.71:53 24.14.189.245:53 L=40 S=0x00 I=39426 F=0x0000 T=27 SYN (#10) You get the idea. No special software needed, just good 'ole ipchains. BTW: Could you try to keep lines to <80 characters? (Nevermind the fact that I just broke that rule with the firewall logs). -- Jordan Bettis <http://www.hafd.org/~jordanb/> Showing up is 80% of life. -- Woody Allen
