LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-09-2004, 01:49 PM   #1
mac_phil
Member
 
Registered: Sep 2003
Distribution: Mandrake 10.0
Posts: 200

Rep: Reputation: 30
How to reduce amount of (firewall) logging


I am running Mandrake 10.0 with Firestarter.

There are a few Windows machines on my subnet and my logs are FULL of hits that I do not want to log. I get hit at least every ten seconds. Those are not my machines and I have no control over them.

How can I stop logging this? For example, a machine on my subnet constantly hitting me from source port 1919 to destination port 5000?

I know about grepping logs and such, but I'd like to reduce the volume of logging. Or, if that's a stupid idea, please explain why. Thanks.
 
Old 05-09-2004, 05:33 PM   #2
demian
Member
 
Registered: Apr 2001
Location: Bremen, Germany
Distribution: Debian
Posts: 303

Rep: Reputation: 30
If you don't want to log something then just drop the packets without logging: Just make sure that the rule that drops the packets comes before the rule that logs it. With iptables the chains are traversed from top to bottom until a match is found. The first match usually terminates the traversal of the chain. So that when your last rule in a chain has a LOG target this wouldn't log the packets that were dropped earlier in the chain.

Another way is to use rate limits. If for instance you don't want to be flooded by broadcasts on tcp port 137 but you still want to know if they hit you from time to time use

iptables -A INPUT -p tcp --dport 137 --limit 1/minute -j LOG

to log only one of these packets a minute.

This just for the record: A log entry every ten seconds is nothing. If that makes your logs grow to big then you should seriously reconsider your logrotate.conf
 
Old 05-10-2004, 04:12 PM   #3
mac_phil
Member
 
Registered: Sep 2003
Distribution: Mandrake 10.0
Posts: 200

Original Poster
Rep: Reputation: 30
Thanks, I'll try that.

It's not that my logs are too big, it's that my computer is online 24/7 and it seems pointless to keep logging this one noisy Windows box on my subnet that is of no interest to me.

Cheers.
 
Old 05-12-2004, 03:11 PM   #4
cyph3r7
Member
 
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Rep: Reputation: 30
If you are on an ISP network, I always send an email to the ISP about boxes that are rooted.

but yeah, you can also just add a rule for that box only as a drop and not log.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Make most amount of Linux users in least amount of time studpenguin General 24 02-02-2007 03:42 PM
How to stop firewall logging to terminal screen ozymandias Linux - Security 10 10-01-2005 04:32 AM
Logging firewall with syslog-ng? RecoilUK Linux - Security 1 08-06-2005 04:28 PM
help me reduce my OS size =/ xushi Slackware 29 12-01-2004 11:45 AM
Logging into a firewall - IPSEC user benjithegreat98 Linux - Software 1 01-29-2004 11:06 PM


All times are GMT -5. The time now is 05:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration