[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] RaQ3 - Logcheck reports PROTO=17

Subject: Re: [cobalt-users] RaQ3 - Logcheck reports PROTO=17
From: "k.a." <khalil@xxxxxxxxx>
Date: Fri Dec 14 04:11:13 2001
Organization: http://www.KhalilAhmad.com
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Chae,

Most of these are samba packets esp. on ports 137, 138, 139. If you have
IPChains installed, just put these lines in your rules:

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --destination-port
137:137 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p udp --destination-port
137:137 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --destination-port
137:138 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p udp --destination-port
137:138 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --destination-port
137:139 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p udp --destination-port
137:139 -j DENY

(I suppose $EXTERNAL_INTERFACE  is your external interface, you may use
IP/Netmask)
It will avoid kernel logging these attempts in the log files.

NOTE  there is no "-l" in these lines so the packets will be denied before
they get into the rule which is causing the log entries.


-Khalil Ahmad
PakSys Consulting Inc.
http://www.paksys.com





----- Original Message -----
From: "Render-Vue" <sales@xxxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Wednesday, December 12, 2001 5:06 PM
Subject: [cobalt-users] RaQ3 - Logcheck reports PROTO=17


> Hi Yah,
>
> (this is a wee bit long)
>
> I've spoken to my collocation guys and they tell me that this is normal
> activity and it's nothing to worry about, I've also searched the archive
and
> what I can make out the reports are indeed showing it's normal but how the
> heck can I stop the continually logging or how can it be stopped. I
> currently have logcheck to ignore the PROTO=17 string but this isn't the
> solution because it prevents me from seeing if there is a possible
> compromise later...xxx.xxx.xxx.xxx being the main IP for the server
>
> All other IP's resolve to the collocation centre.
>
> Can I resolve this by IP chains ? If so any pointers (still getting my
head
> round it)
>
> Many thanks in advance
>
> Chae
>
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Dec 12 14:02:01 ns kernel: Packet log: input DENY eth0 PROTO=17
> 208.155.65.4:137 208.155.79.255:137 L=78 S=0x00 I=33208 F=0x0000 T=128
(#59)
> Dec 12 14:02:02 ns kernel: Packet log: input DENY eth0 PROTO=17
> 208.155.65.4:137 208.155.79.255:137 L=78 S=0x00 I=36792 F=0x0000 T=128
(#59)
> Dec 12 14:02:03 ns kernel: Packet log: input DENY eth0 PROTO=17
> 208.155.65.4:137 208.155.79.255:137 L=78 S=0x00 I=37304 F=0x0000 T=128
(#59)
> Dec 12 14:02:18 ns kernel: Packet log: input DENY eth0 PROTO=17
> 208.155.78.2:138 208.155.78.255:138 L=241 S=0x00 I=63637 F=0x0000 T=128

References:
- [cobalt-users] RaQ3 - Logcheck reports PROTO=17
  - From: Render-Vue

Prev by Date: RE: [cobalt-users] RaQ4R - Access Log
Next by Date: Re: [cobalt-users] Help! Can email out but not receive any from outside...
Previous by thread: [cobalt-users] RaQ3 - Logcheck reports PROTO=17
Next by thread: [cobalt-users] FW: majorcool problems

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index