Monitoring a TARPIT
Gary W. Smith
gary at primeexalia.com
Sat Aug 27 02:56:34 CEST 2005
I tried that. We have a rule setup for ports 445 and 135-139. Let's just say that since this last round of viruses here is what tarpit has to say.
-rw------- 1 root root 489043093 Aug 26 19:49 messages
-rw------- 1 root root 787713009 Aug 26 04:47 messages.1
Luckily the firewall has 250gb drives.
With that in mind, you might want to rate limit your logging on this.
> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org [mailto:netfilter-
> bounces at lists.netfilter.org] On Behalf Of curby .
> Sent: Friday, August 26, 2005 2:56 PM
> To: Gottmar Krakéliusz
> Cc: netfilter at lists.netfilter.org
> Subject: Re: Monitoring a TARPIT
> On 8/25/05, Gottmar Krakéliusz <ulan.bator at hotmail.com> wrote:
> > Hi!
> > I use the TARPIT target to delay those brute force attacks on my SSH
> > Now I wonder if there is a way of getting some statistics on how many,
> > IP:s and for how long they are caught.
> > AFAIK, I cant get ALL this by simply logging?
> If you put your logging rule right before the TARPIT rule, it should
> log everything that would get to TARPIT. This will show you IPs that
> get TARPIT-ed, and with some log analysis you could also find when,
> how many, etc.
More information about the netfilter