How to stop logging of denied ipfwadm connections?

How to stop logging of denied ipfwadm connections?

Post by Kevin Ree » Sun, 19 Sep 1999 04:00:00



I am getting constant (about one a second) attempts at port scanning
from an apparently spoofed IP number (192.168.0.69).  These attempts
have been taking place pretty much for more than 7 days.

They are not from any of the connected system behind the Masq, I've
checked that by unplugging each box until only the Linux box is left
and it has not processes running that are responsible.

The result of the attempts is that the disk space on that system is
getting exhasted reporting the fact that it is denying them.

I need to find out...

1) How can I figure out where they are really coming from?

2) Can I tell ipfwadm to not log the fact they are being denied?

3) Is there something else I can do (route perhaps) that can divert
   these so that they are just ignored completely without logging
   them?

The system is a Redhat 5.2 box with all patches applied.  System is
connected to a Cable modem...

Sample log entries:

Sep 17 19:14:54 cx1xxxx9-a kernel: IP fw-in deny eth1 UDP
192.168.0.69:4404 192.168.0.255:39213 L=140 S=0x00 I=61035 F=0x0000
T=128
Sep 17 19:14:57 cx1xxxx9-a kernel: IP fw-in deny eth1 UDP
192.168.0.69:4405 192.168.0.255:39213 L=296 S=0x00 I=62315 F=0x0000
T=128
Sep 17 19:14:57 cx1xxxx9-a kernel: IP fw-in deny eth1 UDP
192.168.0.69:4406 192.168.0.255:39213 L=846 S=0x00 I=62571 F=0x0000
T=128
Sep 17 19:14:57 cx1xxxx9-a kernel: IP fw-in deny eth1 UDP
192.168.0.69:4407 192.168.0.255:39213 L=140 S=0x00 I=62827 F=0x0000
T=128
Sep 17 19:14:59 cx1xxxx9-a kernel: IP fw-in deny eth1 UDP
192.168.0.69:4408 192.168.0.255:39213 L=296 S=0x00 I=63595 F=0x0000
T=128
Sep 17 19:14:59 cx1xxxx9-a kernel: IP fw-in deny eth1 UDP
192.168.0.69:4409 192.168.0.255:39213 L=140 S=0x00 I=63851 F=0x0000
T=128
Sep 17 19:15:00 cx1xxxx9-a kernel: IP fw-in deny eth1 UDP
192.168.0.69:4410 192.168.0.255:39213 L=846 S=0x00 I=64107 F=0x0000
T=128
Sep 17 19:15:01 cx1xxxx9-a kernel: IP fw-in deny eth1 UDP
192.168.0.69:4411 192.168.0.255:39213 L=296 S=0x00 I=64363 F=0x0000
T=128
Sep 17 19:15:01 cx1xxxx9-a kernel: IP fw-in deny eth1 UDP
192.168.0.69:4412 192.168.0.255:39213 L=140 S=0x00 I=64619 F=0x0000
T=128
Sep 17 19:15:03 cx1xxxx9-a kernel: IP fw-in deny eth1 UDP
192.168.0.69:4413 192.168.0.255:39213 L=846 S=0x00 I=64875 F=0x0000
T=128
Sep 17 19:15:04 cx1xxxx9-a kernel: IP fw-in deny eth1 UDP
192.168.0.69:4414 192.168.0.255:39213 L=296 S=0x00 I=108 F=0x0000 T=128
Sep 17 19:15:04 cx1xxxx9-a kernel: IP fw-in deny eth1 UDP
192.168.0.69:4415 192.168.0.255:39213 L=140 S=0x00 I=364 F=0x0000 T=128

--
Kevin

Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.

 
 
 

1. How to remove "Denied connection from" from /var/log/messages?

Hi,

I only allow a handful of computers on my LAN to access the Samba
server. It appears that some of the WinXP computers are routinely
trying to see if there are any valid shares on my Samba server. I see
lots of these entries in /var/log/messages

[2004/07/18 04:33:16, 0] lib/access.c:check_access(328)
Denied connection from (123.123.123.123)

Is there anything I can do to configure samba to not log these denied
connections?

Thanks,
John

2. RH5.2 and KDE -- I got it going

3. logging when tcp_wrappers deny a connection

4. computer-security/secmaillist FAQ

5. ipfwadm logging rules don't log!

6. Linux undertaking

7. Stopping things being logged to error log

8. What are Bios32 extentions? Are they necessary for Linux?

9. log files in /var/log stopped recording

10. Logging stopped on RH 5.2 (no output to "messages" log)

11. ipfwadm: deny incoming pings

12. ipfwadm: Deny or Reject?

13. ipfwadm: difference between 'reject' and 'deny' commands?