On Sun, Aug 12, 2007 at 01:16:57PM -0700, Wade Richards wrote: > 2) If you really don't like the log messages, then reconfigure your firewall to not > log dropped packets. Actually, it might be best to just drop (and not log) packets to these ports which are flowding your messages' log and log the rest. That way you log other (uncommon) incoming attacks blocked by the firewall which might be an indication of somebody which is interested in you (for example, a portscan probe). Easy to do like this: <your firewall ruleset, assuming your default policy is DROP> <....> iptables -A INPUT -p udp --dport 53 -j DROP iptables -A INPUT -p tcp --dport 137,138 -j DROP iptables -A INPUT -p udp --dport 137,138 -j DROP iptables -A INPUT -j LOG <end of firewall ruleset> Regards Javier PS: Notice that NetBIOS (port 137, 138) worms try to propagate both over both TCP and UDP: http://isc.sans.org/port.html?port=137 http://isc.sans.org/port.html?port=138 PPS: I typically block and drop also port 139 (also NetBIOS) which is constantly probed due to multiple trojans and vulnerabilities: http://isc.sans.org/port.html?port=139
Attachment:
signature.asc
Description: Digital signature