I posted a question about this a long time ago, http://www.linuxquestions.org/questi...=&threadid=887

But now it has come back to haunt me. I now have cable, RH 7.1, and using iptables instead of ipchains. Somebody really really dumb (or extremely smart) on my subnet is trying to connect to a single port on my broadcast ip. It may be a port scan or just someone not know how to run a server properly. As expected, they are being denied by my firewall. So I am not worried about being hacked (just yet). But the DENY messages will not stop coming up on my console. The problem is that this person is continuously trying to connect to this port. Somehow they are rotating throught about 3000 udp ports trying to connect to this one port. So, for every port they try to connect from, I get a deny message. 1 every 3 seconds....... but for the past month!!!! Yes, my logs are HUGE. This is obviously cluttering up my console and I cannot use it because I can never see what I am typing and what directory I am in. So.......

I have removed every reference to /dev/console in my syslog.conf. The only thing in there that I can see that might cause this is "*.emerg *" but I do not think DENY messages are emergency messages from the kernel. Anyone know why these messages would still be popping up on my screen? (The only way I can get them to stop is to turn off loggin in gShield, which I do not want to do.)

Andy

Do you have any daemons like mon or portsentry?

Maybe the solution is to get the actual problem solved. Most (all?) ISPs actively pursue members that run portscans against other members (as well as anybody on the internet). It's boilerplate text on most AUP (Accetible Use Policy) agreements on your (and the bad guy's)

Copy the logs, trim them for brevity, and mail them to whoever is responsible (abuse@your.isp).

Make sure the date and times are accurate so that they can find who had the IP address lease.

I've sent two out so far this year and although I never got anything more than an autoresponse mail message, the problems went away quickly.

DavidPhillips, no I do not have those daemons running. Sorry for being ignorant, but whay do you ask? I'm not sure what mon does and I was a little weary about setting up portsentry to make a default route to no where blocking the host because a person can spoof and popular website or DNS server or anything and I would be out of luck...

mcleodnine, I have already done that but was not to pleased by what I found. Yes, my cable company does not allow port scans and the do have a nice system for reporting, but I fear I may be overlooked due to the large customer base. Let me put it this way. Their system sends an auto messages back to you with a ticket number saying they got your request. My first attempt just asked what to do. I got a ticket number and the auto message mentioned to include the logs if I didn't. So, I sent the email again with the logs about an hours later. My trouble ticket was 9000 numbers higher than my first one. BTW, I have Adelphia Powerlink. My guess is that if they DID get to it, it would be a month or so down the line...

You mentioned you got an auto response message too. Mind if I ask what ISP you are using?

Andy

I must have spoke too soon. Right after I posted the last messages, I decide to check my logs. There has not been one instance of that message during the entire night. And that is even with logging all messages at debug level. I guess Adelphia s ALOT quicker that I thought. But now something else has come up, thankfully not so annoying.

On the screen again, as well as in my logs the following comes up every minute or so:

Jun 29 11:12:18 Voyager kernel: gShield (default drop) IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:f0:4b:f0:51:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=256 PROTO=UDP SPT=68 DPT=67 LEN=308

From what I think I know, this messages is being generated by my machine trying to connect to a bootp (port 67 is a bootps and port 68 is a bootpc port) server on Adelphia's network. The only thing that bothers me is that the MAC address matches NEITHER of my ethernet cards... This is why I think something else may go on.

Does anyone know how to properly read IPTables logs or a good source where I can learn more about the logs?

Andy

I was just thinking that maybe one of these monitoring programs or others combined with checklog could be emailing thousands of log files to your root mailbox©

I guess there is no way to block everything and still be able to get on the internet, but I think portsentry would help stop the port scans©

The logs are only in the log files, I am not getting any emails in my root account. I'll mess around with it some more and let you guys know what I find. If I find anything....