From mboxrd@z Thu Jan 1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
by nuthatch.gentoo.org with esmtp (Exim 4.60)
(envelope-from <gentoo-user+bounces-54867-garchives=archives.gentoo.org@gentoo.org>)
id 1Gkm3u-0000IC-20
for garchives@archives.gentoo.org; Thu, 16 Nov 2006 18:34:10 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kAGIVKKV013683;
Thu, 16 Nov 2006 18:31:20 GMT
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id kAGITAip015535
for <gentoo-user@lists.gentoo.org>; Thu, 16 Nov 2006 18:29:10 GMT
Received: from localhost (localhost [127.0.0.1])
by smtp.gentoo.org (Postfix) with ESMTP id CBDF265296
for <gentoo-user@lists.gentoo.org>; Thu, 16 Nov 2006 18:29:09 +0000 (UTC)
X-Virus-Scanned: amavisd-new at gentoo.org
X-Spam-Score: -1.994
X-Spam-Level:
X-Spam-Status: No, score=-1.994 required=5.5 tests=[AWL=0.470,
BAYES_00=-2.599, FORGED_RCVD_HELO=0.135]
Received: from smtp.gentoo.org ([127.0.0.1])
by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id xfeYM7-T+1nb for <gentoo-user@lists.gentoo.org>;
Thu, 16 Nov 2006 18:29:05 +0000 (UTC)
Received: from bullet.espersunited.com (adsl-70-234-122-249.dsl.tul2ok.sbcglobal.net [70.234.122.249])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTP id 8D7146529D
for <gentoo-user@gentoo.org>; Thu, 16 Nov 2006 18:29:04 +0000 (UTC)
Received: from camille.espersunited.com (camille.espersunited.com [70.234.122.250])
by bullet.espersunited.com (8.13.7/8.13.7) with ESMTP id kAGIT22o021914
for <gentoo-user@gentoo.org>; Thu, 16 Nov 2006 12:29:02 -0600
Subject: [gentoo-user] OT - ipkungfu perhaps not doing its job
From: Michael Sullivan <michael@espersunited.com>
To: gentoo-user <gentoo-user@lists.gentoo.org>
Content-Type: text/plain
Date: Thu, 16 Nov 2006 12:29:02 -0600
Message-Id: <1163701742.12501.94.camel@camille.espersunited.com>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
Mime-Version: 1.0
X-Mailer: Evolution 2.6.2
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 74b66a2b-8698-4fc1-8c12-52ffa86a2b94
X-Archives-Hash: 2aced1f9e71974852fc033672cd84d98
Can anyone tell me why I have about a hundred of these
Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
when that IP address is in /etc/ipkungfu/deny_hosts.conf? Here's my
rules; I don't understand them:
bullet ~ # ipkungfu -l
Chain INPUT (policy DROP 2 packets, 144 bytes)
pkts bytes target prot opt in out source
destination
45662 6103K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 LOG all -- lo any 0.0.0.1
anywhere LOG level warning prefix `IPKF IPKungFu (--init)'
0 0 DROP all -- eth0 any 210.188.206.107
anywhere
0 0 DROP all -- eth0 any 222.90.206.62
anywhere
0 0 DROP all -- eth0 any 61.178.185.124
anywhere
0 0 DROP all -- eth0 any 65.98.76.197
anywhere
0 0 DROP all -- eth0 any 211.234.99.230
anywhere
0 0 DROP all -- eth0 any 60.191.34.155
anywhere
0 0 DROP all -- eth0 any sd-2742.dedibox.fr
anywhere
1 40 DROP all -- eth0 any nameservices.net
anywhere
1 55 DROP all -- eth0 any 222.135.146.45
anywhere
28 1598 ACCEPT all -- any any camille.espersunited.com
anywhere
7 351 ACCEPT all -- any any
catherine.espersunited.com anywhere
0 0 DROP all -- any any anywhere
anywhere recent: CHECK seconds: 120 name: badguy side: source
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap FIN): '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
3 276 ACCEPT icmp -- any any anywhere
anywhere icmp echo-request
85 3400 LOG all -- any any anywhere
anywhere state INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: '
85 3400 DROP all -- any any anywhere
anywhere state INVALID
0 0 LOG all -f eth0 any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: '
0 0 DROP all -f eth0 any anywhere
anywhere
0 0 LOG icmp -- eth0 any anywhere
anywhere icmp timestamp-request limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF ICMP Timestamp: '
0 0 DROP icmp -- eth0 any anywhere
anywhere icmp timestamp-request
125 6656 syn-flood tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,ACK/SYN
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
0 0 DROP tcp -- eth0 any anywhere
anywhere multiport dports netbios-ns,6666
2 808 DROP udp -- eth0 any anywhere
anywhere multiport dports ms-sql-m
102 5552 ACCEPT tcp -- eth0 any anywhere
anywhere state NEW multiport dports
ftp,ssh,smtp,http,imap,https
0 0 ACCEPT udp -- eth0 any anywhere
anywhere state NEW multiport dports imap
203 15337 ACCEPT all -- lo any anywhere
anywhere state NEW
0 0 ACCEPT all -- lo any localhost.localdomain
anywhere state NEW
2 112 REJECT tcp -- any any anywhere
anywhere tcp dpt:auth reject-with tcp-reset
146 38531 LOG !icmp -- any any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF INPUT Catch-all: '
146 38531 DROP all -- any any anywhere
anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 any camille.espersunited.com
anywhere
0 0 ACCEPT all -- eth0 any
catherine.espersunited.com anywhere
0 0 DROP all -- eth0 any anywhere
anywhere recent: CHECK seconds: 120 name: badguy side: source
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF flags FIN,URG,PSH: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
0 0 LOG all -- eth0 any anywhere
anywhere state INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: '
0 0 DROP all -- eth0 any anywhere
anywhere state INVALID
0 0 LOG all -f eth0 any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: '
0 0 DROP all -f eth0 any anywhere
anywhere
0 0 LOG icmp -- eth0 any anywhere
anywhere icmp timestamp-request limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF ICMP Timestamp: '
0 0 DROP icmp -- eth0 any anywhere
anywhere icmp timestamp-request
0 0 syn-flood tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,ACK/SYN
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
0 0 DROP tcp -- eth0 any anywhere
anywhere multiport dports netbios-ns,6666
0 0 DROP udp -- eth0 any anywhere
anywhere multiport dports ms-sql-m
0 0 REJECT tcp -- eth0 any anywhere
anywhere tcp dpt:auth reject-with tcp-reset
Chain OUTPUT (policy ACCEPT 5 packets, 366 bytes)
pkts bytes target prot opt in out source
destination
60950 17M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
968 76964 ACCEPT all -- any any anywhere
anywhere state NEW
Chain syn-flood (2 references)
pkts bytes target prot opt in out source
destination
125 6656 RETURN all -- any any anywhere
anywhere limit: avg 10/sec burst 24
0 0 LOG all -- any any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF SYN flood: '
0 0 DROP all -- any any anywhere
anywhere
bullet ~ #
--
gentoo-user@gentoo.org mailing list