Hello,

I had a small DOS today that didn't really work. It just slowed down the server, it was like a continuous thing it wasnt like a single attack, more of a lag bringer for hours.

I suspected I knew who this person was so I blocked their isp and their webserver IPs using iptables, and like magic my server was lag free.

I want more proof of this, so I would appreciate someone telling me where I can see logs of all the connections (incoming and outgoing?). I am not really sure what sort of formats it'd have: if I can search for IPs with grep or not. Or maybe I have to do something first to even have logs, I don't know..

I don't really think I could go and install snort or something like that. I always wondered how to see whos connecting and where (is a firewall really necessary because I kinda thought Linux just auto logs this stuff). I know the netstat command but are there any alternatives people would recommend or some sort of logging system thats easy to setup?

I really feel having some insight into this would be very beneficial should something very serious happen. Thanks everyone.

You can use tcpdump/ethereal to track packets. The beauty of these is if you have a specific IP address or range you suspect you can limit its capture to that.

Other than actual logins without turning on the above there is little that is tracked automatically. You can review /var/log/messages to see if it repeatedly shows attempts for logins that were refused. But to truly track it you need something like tcpdump/ethereal.

Linux does have configurable security but having a firewall between your ISP and the Linux machine is always a good extra measure especially if you have multiple machines inside the firewall. Several vendors (Linksys and Belkin to mention a couple) have 4 port (and wireless) firewall routers that you can just plug in and do minimal configuration on to get things going.

Also check your individual application logs (like SSH, Apache) as they will often include a more detailed log of indivdual connections. Tcpdump/Ethereal is definitely the tool of choice during the attack.

Note that you can configure iptables to log large numbers of connections or packets from a single source IP using the limit match.

The problem with your IPTables solution is that a true attacker will instantly catch on and change IP's to continue the attack (you can't physically monitor this 24/7).

Here's a nice little script that can monitor your logs (yes you have logs by default on Linux) and will automatically block any IP that fails any type of authentication that you set up (ftp, ssh, smtp, etc.).

Go to http://www.rfxnetworks.com/bfd.php and read up on the script.

I have friends who run multiple servers and are constantly barraged by various attacking attempts. They use BFD (Brute Force Detection) set at 3 failed attempts. After the three attempts, the attacker's IP is automatically banned for a preset time (or permanently).

Deion "Mule" Christopher

Excellent. Thank you guys very very much.