iptable log-message
Tony Nelson
tonynelson at georgeanelson.com
Sun May 27 16:12:15 UTC 2007
At 11:44 AM +0200 5/27/07, Harald Hoyer (slash) wrote:
>Hello,
>
>I have received this from my logwatch mail:
>
>------- iptables firewall Begin --------
>
> Logged 171 packets on interface eth0
> From 137.227.xxx.xxx - 171 packets to tcp(N1,N2,N3,...,Nn)
>----------------------------------
>
>The problem is that I don't trust the IP and I don't know how to avoid it.
>
>Any idea?
Well, there will be an almost unbounded number of IPs that attack you, so
banning them one at a time will only be satisfying for a little while. You
might want to use something like fail2ban. First off, you want to get more
detail about the IPs and what iptables did with their packets from the raw
log file; probably `less /var/log/messages` and then "/137\.227\." RETURN,
followed by "n" to search down and "N" to search up, and "q" to quit. Once
you have more idea of what they're trying to do and what iptables did you
can decide if there is anything more that needs to be done. If iptables is
already dropping the packets, that's fine. If there were 171 attempts to
log into SSH or FTP you might start to have some concern, and try fail2ban
or the sshattack iptables rules that have been in the thread "I love IP
Tables".
--
____________________________________________________________________
TonyN.:' <mailto:tonynelson at georgeanelson.com>
' <http://www.georgeanelson.com/>
More information about the fedora-list
mailing list