It took me a while to notice there's no HTTP method involved, so these aren't valid HTTP requests (=clients?) to begin with.
Quote:
|
Yes, but first I must see how to do it (the firewall logging), I have not any ideea so far, and with Wireshark, I suppose I must let the computer working for days, until I "receive" the custom salute from the outsiders. :)
Ah, ok, it's the LOG target, but where it is the info logged? I think that without being set up (iptables log in syslogd and logrotate) it is logged by dmesg but within it's limits, I think. So, I must learn how to set up loging of iptables in syslogd and then logrotate. Maybe I am wrong but this is what I think. BRW, is it appropriate or enough to see the current connections to my computer with "netstat -aut", or I need more options here? |
'man iptables':
Code:
LOG Quote:
Quote:
|
I was thinking about the possibility that someone intruded and with netstat I can see it's connection... not started by me, of course... make an ideea of what he is doing.
You're right about reading the documentation first. Sorry about that hurry. |
Quote:
|
Sincerely, I hope and I don't really believe that was compromised, but I think these were only tries to break in. This is my feeling, after a behavior analyze of the "attacks" in the server log, without knowing the server's internals.
|
Then lets stick with logging web server requests, firewall connections and capturing packets with
Code:
tcpdump -n -nn -s 0 -i eth[devicenumber] -w /path/to/dump.pcap 'tcp-syn != 0 and dst port 80' |
Here is another fresh log record:
Quote:
Your command seems a litle too complicated for me right now. Maybe later I would be able to decode it. Update: the IP is from Rusia |
unSpawn, thank you for your answer, it was really interesting, though I need more studying about the syntax call of tcpdump. Also, what means the -nn flag, I didn't find it in the man page, maybe I should try with info?
|
-nn Don't convert protocol and port numbers etc. to names either.
Come to think of it just tcpdump -s 0 -i eth[devicenumber] -w /path/to/dump.pcap 'tcp-syn != 0 and dst port 80' should do because you're logging to file. |
Quote:
|
All times are GMT -5. The time now is 08:55 PM. |