Hi, Does anyone know how I might monitor shorewall logs for rejects on hosts/ports that don't exist? I think it might be called "doorknob rattling"?
I have a ton of entries like this: [ 299.759915] Shorewall:ext2dmz:REJECT:IN=eth0 OUT=eth1 MAC=00:25:90:a5:e7:1f:00:23:9c:98:fb:6a:08:00 SRC=185.130.5.228 DST=66.104.111.105 LEN=75 TOS=0x00 PREC=0x00 TTL=240 ID=54321 PROTO=UDP SPT=49744 DPT=53 LEN=55 That IP doesn't exist. I can't think of any reason a legitimate attempt would be made to communicate with that address, but it's probably not a good idea to block it on its first attempt. This appears to be the perfect case for using fail2ban, but I hoped someone had some input on how to do this, and if it was a good idea? Thanks, Alex ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
