Hey there! Haven't been here in awhile. Things have been rather hectic. It's good to be back.

However, I'm having a bit of a problem. I've gone from using portsentry in my most recent installation of Mandrake 8.1 to IPTables. However - I don't see my logs anywhere. I check /var/log/messages and /var/log/syslog, and all I have is this...repeatedly...

Jan 27 04:02:58 MY.IP.ADDY kernel: DROPPED IN=eth0 OUT= MAC=MY.MAC.NUMBER SRC=MY.IP.ADDY DST=SOME.RANDOM.IP.ADDY LEN=28 TOS=0x00 PREC=0xC
0 TTL=1 ID=30014 PROTO=2

There are just thousands of them filling up my logs. I am creating almost three new logs a day.

2 questions. 1 - how do I get rid of all those 'eth0' messages, as I like to refer to them. And 2 - how do I get IPtables to log the proper information? (Specifically, who is scanning my system.) I am using GuardDog as my configuration program, however, I am not adverse to using the console. It was more for convenience.

Thank you.

Dark Ninja

Go here (http://www.linuxnewbie.org/cgi-bin/ubbcgi/ultimatebb.cgi?ubb=get_topic&f=21&t=002674) to see what all that stuff means.

I'm not sure how to specify a different log to write to, but if you wanted to trun it off, here are the lines to comment out of your iptables script.


iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "


HTH

Hehe.. After hacking into your system I left those logs. Confusing, eh?

Thanks for that information. Now it makes a lot more sense. That makes a lot more sense. However...I'm still confused about something. I saw another log recently, and it was all nicely written. Here's a sample from it:

------------------------------------------
Jul 12 16:46:50 compname ipmon[277]: [ID 702911 auth.alert] 16:46:50.179228 le0 @0:25 b 10.10.10.1,62315 -> 1.10.10.10,21 PR tcp len 20 48 -S IN
------------------------------------------

Now, how does that look so nice? That's kind of what I'm looking for. (The person who sent me this log, did mention a program called Snort...but...my /var/log/messages looks nothing like that.)

Thanks for your help.


Dark Ninja


Okay...well...I started up Snort. Hmmm...puts my interface into promiscuous mode. I'm not sure how great that is...I'm looking into that. But, for the moment, I'm running way too many protection modules. I had Bastille Firewall, IPTables, PortSentry, and Snort all running at once. Something bad has to come out of that. What? I'm not too sure. But, I'm working on this. Just learning. I just hope I don't make too many mistakes. (Bastille is gone now, BTW.)

Thanks for any insight anybody here can provide. It's always appreciated.

[ 29 January 2002: Message edited by: Dark Ninja ]