Re: [SLUG] scans

• Next message: Matt Miller: "Re: [SLUG] scans"
• Previous message: Patrick Grantham \(at work\): "Re: New warning issue Re: [SLUG] sendmail problem - problem corrected"
• In reply to: Patrick Grantham \(at work\): "Re: [SLUG] scans"
• Next in thread: Matt Miller: "Re: [SLUG] scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

First, I set my policy to DROP
Second, do all the ACCEPT rules
  local connections
  icmp
  ssh
  dns
  web (if you are running a web server)
  all high ports
Third, drop all the things you don't want to log
  (from /etc/sysconfig/iptables)
  # Microsoft garbage
  [0:0] -A INPUT -p udp -m udp --sport 138 -j DROP
  [0:0] -A INPUT -p tcp -m tcp --sport 138 -j DROP
  [0:0] -A INPUT -p udp -m udp --dport 138 -j DROP
  [0:0] -A INPUT -p tcp -m tcp --dport 138 -j DROP
  [0:0] -A INPUT -p udp -m udp --sport 137 -j DROP
  [0:0] -A INPUT -p tcp -m tcp --sport 137 -j DROP
  [0:0] -A INPUT -p udp -m udp --dport 137 -j DROP
  [0:0] -A INPUT -p tcp -m tcp --dport 137 -j DROP
  [0:0] -A INPUT -p tcp -m tcp --dport 139 -j DROP
  # M$ sql
  [0:0] -A INPUT -p udp -m udp --dport 1434 -j DROP
  # Bootpc
  [0:0] -A INPUT -p udp -m udp --sport 68 -j DROP
Last, log the rest (whatever falls off the bottom is getting DROPed)
  [0:0] -A INPUT -j LOG --log-level 6 --log-prefix "FIREWALL:INPUT-"

Disclaimer, playing with firewall rules can cause migranes. I am not
responsible for your or your computers health. You should not play with
firewall rules from a remote connection unless you have a good sense of
humor. Your milage may vary.

Todd

On Thu, 2002-12-12 at 16:43, Patrick Grantham (at work) wrote:
> How did you do that?
> ----- Original Message -----
> From: "Todd Robinson" <mtrob@penguix.com>
> To: <slug@nks.net>
> Sent: Thursday, December 12, 2002 4:12 PM
> Subject: Re: [SLUG] scans
>
>
> > I get so much of that stuff in general that I have iptables on all my
> > machines drop most M$ activity first thing, before I log it. Cut my log
> > files in half.
> >
> > Todd
> >
> > On Thu, 2002-12-12 at 15:32, jeff wrote:
> > > Has anyone else noticed an increase in port scans in the last few
> > > hours? I am getting around 40 hits an hour, almost all of them on 137.
> > > Is there a new worm making the rounds or what?
> > >
> > > Jeff
> > --
> > Todd Robinson <mtrob@penguix.com>
> >

-- 
Todd Robinson <mtrob@penguix.com>

• Next message: Matt Miller: "Re: [SLUG] scans"
• Previous message: Patrick Grantham \(at work\): "Re: New warning issue Re: [SLUG] sendmail problem - problem corrected"
• In reply to: Patrick Grantham \(at work\): "Re: [SLUG] scans"
• Next in thread: Matt Miller: "Re: [SLUG] scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:11:31 EDT