From: Michael Sullivan <michael@espersunited.com>
To: gentoo-user <gentoo-user@lists.gentoo.org>
Subject: [gentoo-user] OT - ipkungfu perhaps not doing its job
Date: Thu, 16 Nov 2006 12:29:02 -0600 [thread overview]
Message-ID: <1163701742.12501.94.camel@camille.espersunited.com> (raw)
Can anyone tell me why I have about a hundred of these
Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
when that IP address is in /etc/ipkungfu/deny_hosts.conf? Here's my
rules; I don't understand them:
bullet ~ # ipkungfu -l
Chain INPUT (policy DROP 2 packets, 144 bytes)
pkts bytes target prot opt in out source
destination
45662 6103K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 LOG all -- lo any 0.0.0.1
anywhere LOG level warning prefix `IPKF IPKungFu (--init)'
0 0 DROP all -- eth0 any 210.188.206.107
anywhere
0 0 DROP all -- eth0 any 222.90.206.62
anywhere
0 0 DROP all -- eth0 any 61.178.185.124
anywhere
0 0 DROP all -- eth0 any 65.98.76.197
anywhere
0 0 DROP all -- eth0 any 211.234.99.230
anywhere
0 0 DROP all -- eth0 any 60.191.34.155
anywhere
0 0 DROP all -- eth0 any sd-2742.dedibox.fr
anywhere
1 40 DROP all -- eth0 any nameservices.net
anywhere
1 55 DROP all -- eth0 any 222.135.146.45
anywhere
28 1598 ACCEPT all -- any any camille.espersunited.com
anywhere
7 351 ACCEPT all -- any any
catherine.espersunited.com anywhere
0 0 DROP all -- any any anywhere
anywhere recent: CHECK seconds: 120 name: badguy side: source
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap FIN): '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
3 276 ACCEPT icmp -- any any anywhere
anywhere icmp echo-request
85 3400 LOG all -- any any anywhere
anywhere state INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: '
85 3400 DROP all -- any any anywhere
anywhere state INVALID
0 0 LOG all -f eth0 any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: '
0 0 DROP all -f eth0 any anywhere
anywhere
0 0 LOG icmp -- eth0 any anywhere
anywhere icmp timestamp-request limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF ICMP Timestamp: '
0 0 DROP icmp -- eth0 any anywhere
anywhere icmp timestamp-request
125 6656 syn-flood tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,ACK/SYN
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
0 0 DROP tcp -- eth0 any anywhere
anywhere multiport dports netbios-ns,6666
2 808 DROP udp -- eth0 any anywhere
anywhere multiport dports ms-sql-m
102 5552 ACCEPT tcp -- eth0 any anywhere
anywhere state NEW multiport dports
ftp,ssh,smtp,http,imap,https
0 0 ACCEPT udp -- eth0 any anywhere
anywhere state NEW multiport dports imap
203 15337 ACCEPT all -- lo any anywhere
anywhere state NEW
0 0 ACCEPT all -- lo any localhost.localdomain
anywhere state NEW
2 112 REJECT tcp -- any any anywhere
anywhere tcp dpt:auth reject-with tcp-reset
146 38531 LOG !icmp -- any any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF INPUT Catch-all: '
146 38531 DROP all -- any any anywhere
anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 any camille.espersunited.com
anywhere
0 0 ACCEPT all -- eth0 any
catherine.espersunited.com anywhere
0 0 DROP all -- eth0 any anywhere
anywhere recent: CHECK seconds: 120 name: badguy side: source
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF flags FIN,URG,PSH: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
0 0 LOG all -- eth0 any anywhere
anywhere state INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: '
0 0 DROP all -- eth0 any anywhere
anywhere state INVALID
0 0 LOG all -f eth0 any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: '
0 0 DROP all -f eth0 any anywhere
anywhere
0 0 LOG icmp -- eth0 any anywhere
anywhere icmp timestamp-request limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF ICMP Timestamp: '
0 0 DROP icmp -- eth0 any anywhere
anywhere icmp timestamp-request
0 0 syn-flood tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,ACK/SYN
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
0 0 DROP tcp -- eth0 any anywhere
anywhere multiport dports netbios-ns,6666
0 0 DROP udp -- eth0 any anywhere
anywhere multiport dports ms-sql-m
0 0 REJECT tcp -- eth0 any anywhere
anywhere tcp dpt:auth reject-with tcp-reset
Chain OUTPUT (policy ACCEPT 5 packets, 366 bytes)
pkts bytes target prot opt in out source
destination
60950 17M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
968 76964 ACCEPT all -- any any anywhere
anywhere state NEW
Chain syn-flood (2 references)
pkts bytes target prot opt in out source
destination
125 6656 RETURN all -- any any anywhere
anywhere limit: avg 10/sec burst 24
0 0 LOG all -- any any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF SYN flood: '
0 0 DROP all -- any any anywhere
anywhere
bullet ~ #
--
gentoo-user@gentoo.org mailing list
next reply other threads:[~2006-11-16 18:34 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-16 18:29 Michael Sullivan [this message]
2006-11-16 19:09 ` [gentoo-user] OT - ipkungfu perhaps not doing its job Alan McKinnon
2006-11-16 20:59 ` Michael Sullivan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1163701742.12501.94.camel@camille.espersunited.com \
--to=michael@espersunited.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox