LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-27-2004, 05:55 PM   #1
drexel
LQ Newbie
 
Registered: Jan 2004
Location: chicago
Distribution: YDL 3.0
Posts: 6

Rep: Reputation: 0
iptables and limiting the number of times an event gets logged


Hello all, first time poster here...

I'm hoping someone can provide an answer as to how I can limit the number of times my /var/log/messages file gets written to due to windoze noise on my network. For example:

Jan 27 17:47:48 sabertooth kernel: IPT_udp: Windoze DROP IN=eth1 OUT= MAC=XXX SRC=XXX.XXX.XXX.XXX DST=XXX.XXX.XXX.XXX LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=50570 PROTO=UDP SPT=137 DPT=137 LEN=58
Jan 27 17:47:52 sabertooth kernel: IPT_udp: Windoze DROP IN=eth1 OUT= MAC=XXX SRC=XXX.XXX.XXX.XXX DST=XXX.XXX.XXX.XXX LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=52362 PROTO=UDP SPT=137 DPT=137 LEN=58
Jan 27 17:47:52 sabertooth kernel: IPT_udp: Windoze DROP IN=eth1 OUT= MAC=XXX SRC=XXX.XXX.XXX.XXX DST=XXX.XXX.XXX.XXX LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=52618 PROTO=UDP SPT=137 DPT=137 LEN=58

/var/log/messages is littered with these entries. Here is the relevant section from my iptables script:

$IPTABLES -A IPT_udp_packets -p udp --match multiport --ports 137,138,139,445 \
-m limit --limit 3/minute -j LOG --log-prefix "IPT_udp: Windoze DROP "
$IPTABLES -A IPT_udp_packets -p udp -s 0/0 --d.estination-port 137:139 -j DROP
$IPTABLES -A IPT_udp_packets -p udp -s 0/0 --destination-port 445 -j DROP

What do I have to add/change to limit the number of times this traffic gets logged?

Specifically, I only want the message to appear in the logfile once every three minutes. I thought the "--limit 3/minute" part would do this, but it doesn't.

--> S.O.S. to any iptables GURUS out there... plz help. Still getting lots of messages in logs, but I don't wanna turn off logging completely for these ports. Maybe it isn't possible to limit the log rate or (more probably) my syntax is wrong? Any help would be much appreciated.

TIA

Last edited by drexel; 02-01-2004 at 01:40 PM.
 
Old 02-02-2004, 01:18 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
-m limit --limit 3/minute -j LOG --log-prefix "IPT_udp: Windoze DROP

That's going to limit the number of times it's logged to 3 log entries per minute, not once every three minutes. To do once every three minutes, you'd have to do something like 0.333/minute but I believe you have to use integers, so it would probably have to be more like --limit 20/hour.
 
Old 02-09-2004, 01:14 AM   #3
drexel
LQ Newbie
 
Registered: Jan 2004
Location: chicago
Distribution: YDL 3.0
Posts: 6

Original Poster
Rep: Reputation: 0
Capt_Caveman,

I tried your advice and I now get log messages for this chain at the rate I want:

$IPTABLES -A IPT_udp_packets -p udp --match multiport --ports 137,138,139,445 \
-m limit --limit 6/hour --limit-burst 2 -j LOG --log-prefix "IPT_udp: Windoze DROP "

Logs every 10 minutes... perfecto.

Thanks for the knowledge.
 
Old 02-09-2004, 08:59 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
No problem drexel. Glad I could help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Limiting number of responses in MagpieRSS oneandoneis2 Linux - Software 1 06-01-2005 10:25 AM
What is the command for finding the last 3 times the user had logged into the system? Linux_interest Linux - Newbie 3 08-27-2004 05:02 AM
What is the command for finding the last 3 times the user had logged into the system? Linux_interest Linux - General 1 08-27-2004 03:14 AM
Apache: limiting the number of processes that start up tarballed Linux - Networking 2 09-02-2003 03:33 PM
Limiting access to binary to x number of users? greenhornet Linux - General 2 07-31-2003 10:48 AM


All times are GMT -5. The time now is 08:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration