Monitoring a TARPIT

Gary W. Smith gary at primeexalia.com
Sat Aug 27 02:56:34 CEST 2005


I tried that.  We have a rule setup for ports 445 and 135-139. Let's just say that since this last round of viruses here is what tarpit has to say.

-rw-------   1 root   root    489043093 Aug 26 19:49 messages
-rw-------   1 root   root    787713009 Aug 26 04:47 messages.1

Luckily the firewall has 250gb drives.

With that in mind, you might want to rate limit your logging on this.

Gary

> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org [mailto:netfilter-
> bounces at lists.netfilter.org] On Behalf Of curby .
> Sent: Friday, August 26, 2005 2:56 PM
> To: Gottmar Krakéliusz
> Cc: netfilter at lists.netfilter.org
> Subject: Re: Monitoring a TARPIT
> 
> On 8/25/05, Gottmar Krakéliusz <ulan.bator at hotmail.com> wrote:
> > Hi!
> > I use the TARPIT target to delay those brute force attacks on my SSH
> port.
> > Now I wonder if there is a way of getting some statistics on how many,
> which
> > IP:s and for how long they are caught.
> > AFAIK, I cant get ALL this by simply logging?
> 
> If you put your logging rule right before the TARPIT rule, it should
> log everything that would get to TARPIT.  This will show you IPs that
> get TARPIT-ed, and with some log analysis you could also find when,
> how many, etc.




More information about the netfilter mailing list