On Wed, 12 Mar 2003, George Chacon wrote: > >>Your first problem is defining "offenders", then "repeat offenders" and > >>"attackers". Do you mean simply to track everyone who attempts to > >>connect to you? I presume you don't expect much if any legitimate > >>incoming NEW traffic if this is the intent? > > Thanks for the response Joel. What I'd like to track are the IP addresses > that get denied or rejected, and the deny/reject rules that get accessed > frequently. In other words, I'd like to track repeated, obvious, malicious > connections. I'd like to know if the same person is relentlessly chipping > away at my firewall, looking for weaknesses. > > I'll take a look at http://ntop.org. That looks pretty good. It may do, but I would still keep LOG in mind. You can catch just what you want, put a useful prefix on the message to simplify analysis, and bang on it with a perl program. One hint for quick and dirty values is to write as little custom code as you can. I use perl to identify the offending IPs and dump them to stdout, then something like: perl getIP.pl mylog | sort | uniq -c | sort -n | tail -20 Emits the IP, sorts for uniq, output a count of how many times the IP showed up, sorts on the count, and displays the top 20 "worst offenders." Since this isn't something I often do the same way twice, it works for me. -- bill davidsen <davidsen@xxxxxxx> CTO, TMR Associates, Inc Doing interesting things with little computers since 1979.
