logovani paketu

Houmles h na n.cz
Čtvrtek Červen 10 14:34:00 CEST 2004 

caj,
loguji na masine synpakety a mam problem ze mi ta potvora "nektere"
ignoruje.

iptables:

poblijon:~# iptables -L -nv
Chain INPUT (policy ACCEPT 478K packets, 57M bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:139 reject-with icmp-port-unreachable
  135 10530 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:137 reject-with icmp-port-unreachable
    9  5095 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:135 reject-with icmp-port-unreachable
 2667  128K REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:445 reject-with icmp-port-unreachable
  133  6452 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:139 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:137 reject-with icmp-port-unreachable
 1591 76520 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:135 reject-with icmp-port-unreachable
 6503  322K LOG        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp flags:0x16/0x02 LOG flags 0 level 4 prefix `PACKET:
'
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(rejecty pred jsou tam z duvody abych "vykopal" virove/wormove synpakety)

syslogng:

destination packet { file("/var/log/packet.log" owner("root") group("adm")
perm(0640)); };
filter f_iptables { facility(kern) and match(PACKET:); };
log { source(src); filter(f_iptables); destination(packet); };

a nasledne ve /var/log/packet.log dostavam krasny vypis:

Jun  2 06:16:10 poblijon kernel: PACKET: IN=eth0 OUT=
MAC=fe:fd:d5:97:59:67:00:ff:d6:02:7e:c7:08:00 SRC=67.68.13.140
DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=13926 DF
PROTO=TCP
SPT=3637 DPT=9898 WINDOW=16384 RES=0x00 SYN URGP=0
Jun  2 06:17:46 poblijon kernel: PACKET: IN=eth0 OUT=
MAC=fe:fd:d5:97:59:67:00:ff:d6:02:7e:c7:08:00 SRC=217.234.93.106
DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=27655 DF PROTO=TCP
SPT=3078 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
Jun  2 06:17:46 poblijon kernel: PACKET: IN=eth0 OUT=
MAC=fe:fd:d5:97:59:67:00:ff:d6:02:7e:c7:08:00 SRC=217.234.93.106
DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=27744 DF PROTO=TCP
SPT=3078 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
Jun  2 06:17:47 poblijon kernel: PACKET: IN=eth0 OUT=
MAC=fe:fd:d5:97:59:67:00:ff:d6:02:7e:c7:08:00 SRC=217.234.93.106
DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=27811 DF PROTO=TCP
SPT=3078 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0

--------

ALE: zkousel jsem si telnetit na ruzne porty manualne, a zadny synpaket mi
do logu neprosel! mam takovy neurcity pocit, ze kernel svindluje jelkoz
pakety nejsou ani v dmesg :-(
nejaky napad?
dik
   hmls


:wq
 Houmles, h na n.cz, sherlock na inway.cz

lsd fbi cia drugs mafia weapons guns pedophilia fuck - hi Echolon!

Další informace o konferenci Linux