I tried that. We have a rule setup for ports 445 and 135-139. Let's just say that since this last round of viruses here is what tarpit has to say. -rw------- 1 root root 489043093 Aug 26 19:49 messages -rw------- 1 root root 787713009 Aug 26 04:47 messages.1 Luckily the firewall has 250gb drives. With that in mind, you might want to rate limit your logging on this. Gary > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of curby . > Sent: Friday, August 26, 2005 2:56 PM > To: Gottmar Krakéliusz > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Monitoring a TARPIT > > On 8/25/05, Gottmar Krakéliusz <ulan.bator@xxxxxxxxxxx> wrote: > > Hi! > > I use the TARPIT target to delay those brute force attacks on my SSH > port. > > Now I wonder if there is a way of getting some statistics on how many, > which > > IP:s and for how long they are caught. > > AFAIK, I cant get ALL this by simply logging? > > If you put your logging rule right before the TARPIT rule, it should > log everything that would get to TARPIT. This will show you IPs that > get TARPIT-ed, and with some log analysis you could also find when, > how many, etc.
