#33 <PORT> in regex

open
None
5
2007-06-01
2007-05-21
Anonymous
No

Hi,

I need to ban IP from the shorewall logs. That's not a problem to get the involved IP with the <HOST> tag in the regex, but I need also to get the port. Would it be possible to have a <PORT> tag, similar to <HOST>, to match it from the log line and send it to the action?

Thanks for this nice software.

jej

Discussion

  • Deathbob

    Deathbob - 2007-05-22

    Logged In: YES
    user_id=907142
    Originator: NO

    Recomendation: Block all ports.

    And what kind of log entries you getting from shorewall that you need the port? If they are attacking ssh, block ssh... shouldnt need very many filters. Most log entries from shorewall say that it blocked them.

     
  • Cyril Jaquier

    Cyril Jaquier - 2007-05-24
    • assigned_to: nobody --> lostcontrol
    • status: open --> pending
     
  • Cyril Jaquier

    Cyril Jaquier - 2007-05-24

    Logged In: YES
    user_id=933467
    Originator: NO

    Hi,

    Which port do you need? Would be a "static" port not enough?

    However, 0.9 will include more tags that can be used by actions.

     
  • Nobody/Anonymous

    • status: pending --> open
     
  • Nobody/Anonymous

    Logged In: NO

    I need to ban a specific port, depending of the attacker. Of course I can ban the whole IP but that's not fairplay... Imagine someone from the same shared IP wants to get acces to port 80, he will be banned as well.

    Here is a sample of log for Shorewall :

    May 27 01:59:09 MyHostName kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:40:XX...XX:00 SRC=61.26.231.27 DST=X.X.X.X LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=6324 DF PROTO=TCP SPT=1705 DPT=1722 WINDOW=64240 RES=0x00 SYN URGP=0

    I would like to prevent IP 61.26.231.27 to make incessant connexions to port 1722 (he fills my logs :)

    A rule could be :
    kernel: Shorewall.*SRC=<HOST> .*DPT=<PORT>

    Cheers,
    jej

     
  • Deathbob

    Deathbob - 2007-06-01

    Logged In: YES
    user_id=907142
    Originator: NO

    As far as I know, right now you must create a seperate filter for each port and then specify that port in the action.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks