andy’s blog

i got pretty tight iptables rules set, and all un desired packets are logged through ulog. below is one liner command(s) to check who ‘attacked’ (not exactly attack, there were all un wanted packets actually) me today:

for i in `grep “PROTO=UDP” /var/log/ulog/syslogemu.log | sed “s/^.*SRC=//g” | sed “s/DST=.*$//g” | sort | uniq` ; do echo `grep $i /var/log/ulog/syslogemu.log | wc -l ` ” ” $i >> attacker.txt ; done ; sort -r -n -k 1 attacker.txt > tmp ; mv tmp attacker.txt

sample /var/log/ulog/syslogemu.log entry is like this:

Jan 21 20:55:03 telarosa Firewall: IN=eth0 OUT= MAC=00:16:76:22:05:2b:00:18:74:83:3c:54:08:00 SRC=83.30.35.XXX DST=61.247.38.19 LEN=61 TOS=00 PREC=0×00 TTL=107 ID=5510 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=53031

output in file attacker.txt are descending sorted by number of drop packets received from that ip, and it looks like:

15 88.111.70.XXX
15 61.246.33.XXX
15 207.218.223.XX
14 207.218.223.XX
13 207.218.223.XX
12 207.218.223.XX
11 207.218.223.XX

i found that logging iptables dropped packets to ulog is much more stable than syslog or syslog-ng, either of these may freeze on high density udp flood attack.

Bookmark to:

This entry was posted on Monday, January 22nd, 2007 at 12:39 am and is filed under security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.