1 |
On Fri, 2007-02-23 at 03:49 +1030, Raymond Lewis Rebbeck wrote: |
2 |
> On Friday, 23 February 2007 3:15, Michael Sullivan wrote: |
3 |
> > I have logsentry installed on my system which sends me hourly reports |
4 |
> > about possible hack attempts on my three boxes. I use ipkungfu for my |
5 |
> > firewall. I've stuck with the default configuration for ipkungfu, |
6 |
> > except for listing each of my machines in my LAN in the |
7 |
> > accepted_hosts.conf file. I also set ipkungfu to drop all offensive |
8 |
> > packets (not sure if that's the default or not.) Whenever I see someone |
9 |
> > trying the break in in the logsentry reports, I add their IP to the |
10 |
> > deny_hosts.conf file and restart ipkungfu so that the changes will take |
11 |
> > effect. I'm wondering why if these offending IPs in deny_hosts.conf are |
12 |
> > being stopped at the firewall I'm still seeing them fail to authenticate |
13 |
> > to my FTP and ssh servers? |
14 |
> |
15 |
> If you think you've setup your firewall to block these IPs and yet they are |
16 |
> still able to access your machines, then it sounds like your firewall is |
17 |
> misconfigured and isn't blocking the IPs. |
18 |
> |
19 |
> > Also, I've always heard that you shouldn't |
20 |
> > have any ports open on your machine unless you have some server bound to |
21 |
> > that port because hackers can get in through unbound open ports. Is |
22 |
> > this true? |
23 |
> |
24 |
> I've never heard of this. All ports that you don't want accessible from the |
25 |
> internet should be completely blocked by your firewall if you have it |
26 |
> correctly configured. |
27 |
> |
28 |
> > If so, how does it work? What do they connect to if |
29 |
> > nothing's running on the port they're trying? I know the concept of a |
30 |
> > backdoor in a running program, but if no program is running on said port |
31 |
> > for them to connect to, how do they get in??? |
32 |
> |
33 |
> They connect to nothing, they shouldn't be able to establish a connection. |
34 |
> |
35 |
> > -Michael Sullivan- |
36 |
> |
37 |
> |
38 |
> |
39 |
> -- |
40 |
> Raymond Lewis Rebbeck |
41 |
|
42 |
This is my /etc/ipkungfu/ipkungfu.conf file on |
43 |
catherine.espersunited.com . The comments have been removed for |
44 |
conciseness: |
45 |
|
46 |
EXT_NET="eth0" |
47 |
LOCAL_NET="127.0.0.1" |
48 |
ALLOWED_TCP_IN="21 22 25 80" |
49 |
ALLOWED_UDP_IN="" |
50 |
SUSPECT="DROP" |
51 |
KNOWN_BAD="DROP" |
52 |
PORT_SCAN="DROP" |
53 |
GET_IP="AUTO" |
54 |
DONT_DROP_IDENTD=1 |
55 |
WAIT_SECONDS=5 |
56 |
|
57 |
Is this not a correct configuration? Here is the output of ipkungfu -l: |
58 |
|
59 |
catherine ipkungfu # ipkungfu -l |
60 |
Chain INPUT (policy DROP 0 packets, 0 bytes) |
61 |
pkts bytes target prot opt in out source |
62 |
destination |
63 |
7098 2517K ACCEPT all -- any any anywhere |
64 |
anywhere state RELATED,ESTABLISHED |
65 |
0 0 LOG all -- lo any 0.0.0.1 |
66 |
anywhere LOG level warning prefix `IPKF IPKungFu (--init)' |
67 |
0 0 DROP all -- eth0 any 124.1.149.222 |
68 |
anywhere |
69 |
0 0 DROP all -- eth0 any |
70 |
205.158.114.117.ptr.us.xo.net anywhere |
71 |
0 0 DROP all -- eth0 any 222.90.206.62 |
72 |
anywhere |
73 |
0 0 DROP all -- eth0 any 61.178.185.124 |
74 |
anywhere |
75 |
0 0 DROP all -- eth0 any 65.98.76.197 |
76 |
anywhere |
77 |
0 0 DROP all -- eth0 any 211.234.99.230 |
78 |
anywhere |
79 |
0 0 DROP all -- eth0 any sd-2613.dedibox.fr |
80 |
anywhere |
81 |
0 0 DROP all -- eth0 any 222.135.146.45 |
82 |
anywhere |
83 |
0 0 DROP all -- eth0 any 210.75.200.104 |
84 |
anywhere |
85 |
0 0 DROP all -- eth0 any 210.83.48.238 |
86 |
anywhere |
87 |
0 0 DROP all -- eth0 any 69.149.231.150 |
88 |
anywhere |
89 |
0 0 DROP all -- eth0 any 61.243.90.149 |
90 |
anywhere |
91 |
0 0 DROP all -- eth0 any 222.62.149.99 |
92 |
anywhere |
93 |
0 0 DROP all -- eth0 any |
94 |
72.237.88.202.asianet.co.in anywhere |
95 |
0 0 DROP all -- eth0 any 211.61.207.31 |
96 |
anywhere |
97 |
0 0 DROP all -- eth0 any 212.14.53.4 |
98 |
anywhere |
99 |
0 0 DROP all -- eth0 any |
100 |
61-222-84-195.HINET-IP.hinet.net anywhere |
101 |
0 0 DROP all -- eth0 any smtp.tvitatiba.com.br |
102 |
anywhere |
103 |
0 0 DROP all -- eth0 any 91.25.73.211-savecom |
104 |
anywhere |
105 |
0 0 DROP all -- eth0 any |
106 |
host150197.metrored.net.mx anywhere |
107 |
0 0 DROP all -- eth0 any |
108 |
d5152C2AF.access.telenet.be anywhere |
109 |
0 0 DROP all -- eth0 any 218.50.2.99 |
110 |
anywhere |
111 |
0 0 DROP all -- eth0 any 210.97.242.17 |
112 |
anywhere |
113 |
0 0 DROP all -- eth0 any sd-156.dedibox.fr |
114 |
anywhere |
115 |
0 0 DROP all -- eth0 any |
116 |
lax-static-208.57.150.227.mpowercom.net anywhere |
117 |
0 0 DROP all -- eth0 any 61.145.175.51 |
118 |
anywhere |
119 |
0 0 DROP all -- eth0 any |
120 |
adsl-131.98.51.info.com.ph anywhere |
121 |
0 0 DROP all -- eth0 any 203.190.147.138 |
122 |
anywhere |
123 |
0 0 DROP all -- eth0 any slo-guest.not.iac.es |
124 |
anywhere |
125 |
0 0 DROP all -- eth0 any 219.94.134.39 |
126 |
anywhere |
127 |
0 0 DROP all -- eth0 any |
128 |
customer-201-147-235-248.uninet-ide.com.mx anywhere |
129 |
0 0 DROP all -- eth0 any 216.218.240.157 |
130 |
anywhere |
131 |
0 0 DROP all -- eth0 any 202.113.3.104 |
132 |
anywhere |
133 |
0 0 DROP all -- eth0 any 60.12.225.7 |
134 |
anywhere |
135 |
0 0 DROP all -- eth0 any 61.142.175.65 |
136 |
anywhere |
137 |
0 0 DROP all -- eth0 any 219.235.231.105 |
138 |
anywhere |
139 |
0 0 DROP all -- eth0 any 219.148.237.109 |
140 |
anywhere |
141 |
0 0 DROP all -- eth0 any |
142 |
s15192846.onlinehome-server.info anywhere |
143 |
0 0 DROP all -- eth0 any 219.234.80.58 |
144 |
anywhere |
145 |
0 0 DROP all -- eth0 any 61.167.117.140 |
146 |
anywhere |
147 |
0 0 DROP all -- eth0 any 61.139.78.2 |
148 |
anywhere |
149 |
0 0 DROP all -- eth0 any 219.232.59.181 |
150 |
anywhere |
151 |
0 0 DROP all -- eth0 any 222.36.2.100 |
152 |
anywhere |
153 |
0 0 DROP all -- eth0 any 218.5.4.236 |
154 |
anywhere |
155 |
0 0 DROP all -- eth0 any |
156 |
static-81-219-251-66.devs.futuro.pl anywhere |
157 |
0 0 DROP all -- eth0 any 222.216.204.101 |
158 |
anywhere |
159 |
0 0 DROP all -- eth0 any 203.71.2.73 |
160 |
anywhere |
161 |
0 0 DROP all -- eth0 any 125.251.149.66 |
162 |
anywhere |
163 |
0 0 DROP all -- eth0 any |
164 |
61-218-62-150.HINET-IP.hinet.net anywhere |
165 |
0 0 DROP all -- eth0 any 196.46.235.118 |
166 |
anywhere |
167 |
0 0 DROP all -- eth0 any |
168 |
static-71-166-159-154.washdc.east.verizon.net anywhere |
169 |
0 0 DROP all -- eth0 any 222.122.20.110 |
170 |
anywhere |
171 |
0 0 DROP all -- eth0 any |
172 |
200-91-244-86-host.ifx.net.co anywhere |
173 |
0 0 DROP all -- eth0 any 219.235.231.103 |
174 |
anywhere |
175 |
0 0 DROP all -- eth0 any host54.77.cable1.evro.net |
176 |
anywhere |
177 |
0 0 DROP all -- eth0 any 203.149.62.140 |
178 |
anywhere |
179 |
0 0 DROP all -- eth0 any jerkface.org |
180 |
anywhere |
181 |
0 0 DROP all -- eth0 any |
182 |
mailscanner.net-rosas.com.br anywhere |
183 |
0 0 DROP all -- eth0 any tm.net.my |
184 |
anywhere |
185 |
0 0 DROP all -- eth0 any mail.iab.com.ar |
186 |
anywhere |
187 |
0 0 DROP all -- eth0 any 202.122.16.35 |
188 |
anywhere |
189 |
0 0 DROP all -- eth0 any 218.78.209.253 |
190 |
anywhere |
191 |
0 0 DROP all -- eth0 any |
192 |
59-106-20-54.r-bl100.sakura.ne.jp anywhere |
193 |
0 0 DROP all -- eth0 any |
194 |
gcg62.internetdsl.tpnet.pl anywhere |
195 |
0 0 DROP all -- eth0 any se.ramm.net |
196 |
anywhere |
197 |
0 0 DROP all -- eth0 any 210.94.6.89 |
198 |
anywhere |
199 |
0 0 DROP all -- eth0 any 203.127.35.166 |
200 |
anywhere |
201 |
0 0 DROP all -- eth0 any |
202 |
59-106-20-94.r-bl100.sakura.ne.jp anywhere |
203 |
0 0 DROP all -- eth0 any 124.1.35.2 |
204 |
anywhere |
205 |
0 0 DROP all -- eth0 any 196.12.53.52 |
206 |
anywhere |
207 |
0 0 DROP all -- eth0 any 64.27.28.229 |
208 |
anywhere |
209 |
0 0 DROP all -- eth0 any 125.243.145.2 |
210 |
anywhere |
211 |
0 0 DROP all -- eth0 any |
212 |
53.subnet216.astinet.telkom.net.id anywhere |
213 |
0 0 DROP all -- eth0 any 65.205.238.12 |
214 |
anywhere |
215 |
0 0 DROP all -- eth0 any 221.136.78.17 |
216 |
anywhere |
217 |
0 0 DROP all -- eth0 any 85.132.13.186 |
218 |
anywhere |
219 |
0 0 DROP all -- eth0 any p87-237.cmet.net |
220 |
anywhere |
221 |
0 0 DROP all -- eth0 any p87-237.cmet.net |
222 |
anywhere |
223 |
0 0 DROP all -- eth0 any 61.129.41.20 |
224 |
anywhere |
225 |
0 0 DROP all -- eth0 any |
226 |
host-87-74-30-140.bulldogdsl.com anywhere |
227 |
0 0 DROP all -- eth0 any 212.144.240.140 |
228 |
anywhere |
229 |
0 0 DROP all -- eth0 any 159.226.234.16 |
230 |
anywhere |
231 |
0 0 DROP all -- eth0 any 222.138.97.20 |
232 |
anywhere |
233 |
0 0 DROP all -- eth0 any 61.152.169.150 |
234 |
anywhere |
235 |
0 0 DROP all -- eth0 any |
236 |
dsl51B7DB9D.fixip.t-online.hu anywhere |
237 |
0 0 DROP all -- eth0 any 80-239-2-89.tjgroup.no |
238 |
anywhere |
239 |
0 0 DROP all -- eth0 any |
240 |
host64-231-149-62.serverdedicati.aruba.it anywhere |
241 |
0 0 DROP all -- eth0 any |
242 |
62-148-177-206-hosted-by.denit.net anywhere |
243 |
0 0 DROP all -- eth0 any 211.176.61.119 |
244 |
anywhere |
245 |
0 0 DROP all -- eth0 any 61.136.143.176 |
246 |
anywhere |
247 |
0 0 DROP all -- eth0 any 216.17.96.152 |
248 |
anywhere |
249 |
0 0 DROP all -- eth0 any 61.125.24.84 |
250 |
anywhere |
251 |
0 0 DROP all -- eth0 any 125.248.148.10 |
252 |
anywhere |
253 |
0 0 DROP all -- eth0 any oa |
254 |
anywhere |
255 |
0 0 DROP all -- eth0 any 125.246.65.136 |
256 |
anywhere |
257 |
0 0 DROP all -- eth0 any 202.79.208.131 |
258 |
anywhere |
259 |
0 0 DROP all -- eth0 any 124.128.157.98 |
260 |
anywhere |
261 |
0 0 DROP all -- eth0 any main.popligroup.com |
262 |
anywhere |
263 |
0 0 DROP all -- eth0 any 125.152.17.236 |
264 |
anywhere |
265 |
0 0 DROP all -- eth0 any mail.triple-eagle.com |
266 |
anywhere |
267 |
0 0 DROP all -- eth0 any 211.99.140.229 |
268 |
anywhere |
269 |
0 0 DROP all -- eth0 any |
270 |
216.31.131.61.broad.dynamic.pt.fj.cndata.com anywhere |
271 |
0 0 DROP all -- eth0 any 125.244.116.130 |
272 |
anywhere |
273 |
5 302 ACCEPT all -- any any bullet.espersunited.com |
274 |
anywhere |
275 |
2 248 ACCEPT all -- any any camille.espersunited.com |
276 |
anywhere |
277 |
0 0 DROP all -- any any anywhere |
278 |
anywhere recent: CHECK seconds: 120 name: badguy side: |
279 |
source |
280 |
0 0 LOG tcp -- eth0 any anywhere |
281 |
anywhere tcp |
282 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec |
283 |
burst 5 LOG level warning prefix `IPKF flags ALL: ' |
284 |
0 0 LOG tcp -- eth0 any anywhere |
285 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg |
286 |
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: ' |
287 |
0 0 LOG tcp -- eth0 any anywhere |
288 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: |
289 |
avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): |
290 |
' |
291 |
0 0 LOG tcp -- eth0 any anywhere |
292 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg |
293 |
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap FIN): ' |
294 |
0 0 LOG tcp -- eth0 any anywhere |
295 |
anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5 |
296 |
LOG level warning prefix `IPKF flags SYN,FIN: ' |
297 |
0 0 LOG tcp -- eth0 any anywhere |
298 |
anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5 |
299 |
LOG level warning prefix `IPKF flags SYN,RST: ' |
300 |
0 0 LOG tcp -- eth0 any anywhere |
301 |
anywhere tcp |
302 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst |
303 |
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: ' |
304 |
0 0 LOG tcp -- eth0 any anywhere |
305 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg |
306 |
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): ' |
307 |
0 0 DROP tcp -- eth0 any anywhere |
308 |
anywhere tcp |
309 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG |
310 |
0 0 DROP tcp -- eth0 any anywhere |
311 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
312 |
0 0 DROP tcp -- eth0 any anywhere |
313 |
anywhere tcp flags:FIN,SYN/FIN,SYN |
314 |
0 0 DROP tcp -- eth0 any anywhere |
315 |
anywhere tcp flags:SYN,RST/SYN,RST |
316 |
0 0 DROP tcp -- eth0 any anywhere |
317 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG |
318 |
0 0 DROP tcp -- eth0 any anywhere |
319 |
anywhere tcp |
320 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG |
321 |
0 0 DROP tcp -- eth0 any anywhere |
322 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN |
323 |
0 0 DROP tcp -- eth0 any anywhere |
324 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
325 |
1 92 ACCEPT icmp -- any any anywhere |
326 |
anywhere icmp echo-request |
327 |
10 400 LOG all -- any any anywhere |
328 |
anywhere state INVALID limit: avg 3/sec burst 5 LOG level |
329 |
warning prefix `IPKF Invalid TCP flag: ' |
330 |
10 400 DROP all -- any any anywhere |
331 |
anywhere state INVALID |
332 |
0 0 LOG all -f eth0 any anywhere |
333 |
anywhere limit: avg 3/sec burst 5 LOG level warning prefix |
334 |
`IPKF Fragmented Packet: ' |
335 |
0 0 DROP all -f eth0 any anywhere |
336 |
anywhere |
337 |
0 0 LOG icmp -- eth0 any anywhere |
338 |
anywhere icmp timestamp-request limit: avg 3/sec burst 5 LOG |
339 |
level warning prefix `IPKF ICMP Timestamp: ' |
340 |
0 0 DROP icmp -- eth0 any anywhere |
341 |
anywhere icmp timestamp-request |
342 |
4 192 syn-flood tcp -- eth0 any anywhere |
343 |
anywhere tcp flags:FIN,SYN,RST,ACK/SYN |
344 |
0 0 LOG tcp -- eth0 any anywhere |
345 |
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg |
346 |
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: ' |
347 |
0 0 DROP tcp -- eth0 any anywhere |
348 |
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW |
349 |
0 0 DROP tcp -- eth0 any anywhere |
350 |
anywhere multiport dports netbios-ns,6666 |
351 |
1 404 DROP udp -- eth0 any anywhere |
352 |
anywhere multiport dports ms-sql-m |
353 |
2 96 ACCEPT tcp -- eth0 any anywhere |
354 |
anywhere state NEW multiport dports ftp,ssh,smtp,http |
355 |
37 3156 ACCEPT all -- lo any anywhere |
356 |
anywhere state NEW |
357 |
0 0 ACCEPT all -- lo any localhost.localdomain |
358 |
anywhere state NEW |
359 |
0 0 REJECT tcp -- any any anywhere |
360 |
anywhere tcp dpt:auth reject-with tcp-reset |
361 |
36 11218 LOG !icmp -- any any anywhere |
362 |
anywhere limit: avg 3/sec burst 5 LOG level warning prefix |
363 |
`IPKF INPUT Catch-all: ' |
364 |
36 11218 DROP all -- any any anywhere |
365 |
anywhere |
366 |
|
367 |
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) |
368 |
pkts bytes target prot opt in out source |
369 |
destination |
370 |
0 0 ACCEPT all -- any any anywhere |
371 |
anywhere state RELATED,ESTABLISHED |
372 |
0 0 ACCEPT all -- eth0 any bullet.espersunited.com |
373 |
anywhere |
374 |
0 0 ACCEPT all -- eth0 any camille.espersunited.com |
375 |
anywhere |
376 |
0 0 DROP all -- eth0 any anywhere |
377 |
anywhere recent: CHECK seconds: 120 name: badguy side: |
378 |
source |
379 |
0 0 LOG tcp -- eth0 any anywhere |
380 |
anywhere tcp |
381 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec |
382 |
burst 5 LOG level warning prefix `IPKF flags ALL: ' |
383 |
0 0 LOG tcp -- eth0 any anywhere |
384 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg |
385 |
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: ' |
386 |
0 0 LOG tcp -- eth0 any anywhere |
387 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: |
388 |
avg 3/sec burst 5 LOG level warning prefix `IPKF flags FIN,URG,PSH: ' |
389 |
0 0 LOG tcp -- eth0 any anywhere |
390 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg |
391 |
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): ' |
392 |
0 0 LOG tcp -- eth0 any anywhere |
393 |
anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5 |
394 |
LOG level warning prefix `IPKF flags SYN,FIN: ' |
395 |
0 0 LOG tcp -- eth0 any anywhere |
396 |
anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5 |
397 |
LOG level warning prefix `IPKF flags SYN,RST: ' |
398 |
0 0 LOG tcp -- eth0 any anywhere |
399 |
anywhere tcp |
400 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst |
401 |
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: ' |
402 |
0 0 LOG tcp -- eth0 any anywhere |
403 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg |
404 |
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): ' |
405 |
0 0 DROP tcp -- eth0 any anywhere |
406 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
407 |
0 0 DROP tcp -- eth0 any anywhere |
408 |
anywhere tcp |
409 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG |
410 |
0 0 DROP tcp -- eth0 any anywhere |
411 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
412 |
0 0 DROP tcp -- eth0 any anywhere |
413 |
anywhere tcp flags:FIN,SYN/FIN,SYN |
414 |
0 0 DROP tcp -- eth0 any anywhere |
415 |
anywhere tcp flags:SYN,RST/SYN,RST |
416 |
0 0 DROP tcp -- eth0 any anywhere |
417 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG |
418 |
0 0 DROP tcp -- eth0 any anywhere |
419 |
anywhere tcp |
420 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG |
421 |
0 0 DROP tcp -- eth0 any anywhere |
422 |
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN |
423 |
0 0 LOG all -- eth0 any anywhere |
424 |
anywhere state INVALID limit: avg 3/sec burst 5 LOG level |
425 |
warning prefix `IPKF Invalid TCP flag: ' |
426 |
0 0 DROP all -- eth0 any anywhere |
427 |
anywhere state INVALID |
428 |
0 0 LOG all -f eth0 any anywhere |
429 |
anywhere limit: avg 3/sec burst 5 LOG level warning prefix |
430 |
`IPKF Fragmented Packet: ' |
431 |
0 0 DROP all -f eth0 any anywhere |
432 |
anywhere |
433 |
0 0 LOG icmp -- eth0 any anywhere |
434 |
anywhere icmp timestamp-request limit: avg 3/sec burst 5 LOG |
435 |
level warning prefix `IPKF ICMP Timestamp: ' |
436 |
0 0 DROP icmp -- eth0 any anywhere |
437 |
anywhere icmp timestamp-request |
438 |
0 0 syn-flood tcp -- eth0 any anywhere |
439 |
anywhere tcp flags:FIN,SYN,RST,ACK/SYN |
440 |
0 0 LOG tcp -- eth0 any anywhere |
441 |
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg |
442 |
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: ' |
443 |
0 0 DROP tcp -- eth0 any anywhere |
444 |
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW |
445 |
0 0 DROP tcp -- eth0 any anywhere |
446 |
anywhere multiport dports netbios-ns,6666 |
447 |
0 0 DROP udp -- eth0 any anywhere |
448 |
anywhere multiport dports ms-sql-m |
449 |
0 0 REJECT tcp -- eth0 any anywhere |
450 |
anywhere tcp dpt:auth reject-with tcp-reset |
451 |
|
452 |
Chain OUTPUT (policy ACCEPT 3 packets, 120 bytes) |
453 |
pkts bytes target prot opt in out source |
454 |
destination |
455 |
6646 1321K ACCEPT all -- any any anywhere |
456 |
anywhere state RELATED,ESTABLISHED |
457 |
513 31858 ACCEPT all -- any any anywhere |
458 |
anywhere state NEW |
459 |
|
460 |
Chain syn-flood (2 references) |
461 |
pkts bytes target prot opt in out source |
462 |
destination |
463 |
4 192 RETURN all -- any any anywhere |
464 |
anywhere limit: avg 10/sec burst 24 |
465 |
0 0 LOG all -- any any anywhere |
466 |
anywhere limit: avg 3/sec burst 5 LOG level warning prefix |
467 |
`IPKF SYN flood: ' |
468 |
0 0 DROP all -- any any anywhere |
469 |
anywhere |
470 |
|
471 |
|
472 |
I don't understand a lot of this, but those IP addresses are from |
473 |
my /etc/ipkungfu/deny_hosts.conf file. Is this not actually blocking |
474 |
them? I almost always read about connections from (a) recently-blocked |
475 |
IP address(es) for a few hours after I block them in the hourly |
476 |
logsentry reports... |
477 |
|
478 |
-- |
479 |
gentoo-user@g.o mailing list |