info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
trying to understand ipfilter
11 views
Skip to first unread message
Steve Fabac
Jan 8, 2021, 7:22:22 PM1/8/21
to
I have ipfilter set up on a SCO UNIX system and have scripted lock_sshd that monitors all ssh connection attempts and blocks failed log in for hackers scanning public IP for an open SSH port to hack. Lock_sshd add a rule to the /etc/ipf.conf file for the offending IP and generates a syslog entry for the block:
Jan 7 22:07:01 host1 SSHCHECK: Added ipf block on port 22 from 185.143.223.136 for SSH abuse
As part of the reporting lock_sshd populates /var/adm/logipf file from the command:
date >> /var/adm/logipf
/etc/ipfstat -i -h 2>/dev/null | grep -v "^0 " >> /var/adm/logipf
echo >> /var/adm/logipf
Recently I see an appalling number appearing in logipf:
Thu Jan 7 21:24:01 CST 2021
1254 pass in on net1 from any to any head 300
Thu Jan 7 21:33:04 CST 2021
276 pass in on net1 from any to any head 300
Thu Jan 7 21:54:01 CST 2021
515 pass in on net1 from any to any head 300
Thu Jan 7 22:07:01 CST 2021
1200118 pass in on net1 from any to any head 300
Thu Jan 7 22:43:00 CST 2021
810 pass in on net1 from any to any head 300
Thu Jan 7 22:57:00 CST 2021
425 pass in on net1 from any to any head 300
Thu Jan 7 23:07:02 CST 2021
379 pass in on net1 from any to any head 300
The rule in /etc/ipf.conf for head 300:
pass in on net1 all head 300
block in from 127.0.0.0/8 to any group 300
block in from 192.168.10.66/32 to any group 300
block in from 0.0.0.0/0xff000000 to any group 300
WTF 1.2 million packets received between Jan 7 21:54:01
and Jan 7 22:07:01?
Jan 7 22:07:01 host1 SSHCHECK: Added ipf block on port 22 from 185.143.223.136 for SSH abuse
As part of the reporting lock_sshd populates /var/adm/logipf file from the command:
date >> /var/adm/logipf
/etc/ipfstat -i -h 2>/dev/null | grep -v "^0 " >> /var/adm/logipf
echo >> /var/adm/logipf
Recently I see an appalling number appearing in logipf:
Thu Jan 7 21:24:01 CST 2021
1254 pass in on net1 from any to any head 300
Thu Jan 7 21:33:04 CST 2021
276 pass in on net1 from any to any head 300
Thu Jan 7 21:54:01 CST 2021
515 pass in on net1 from any to any head 300
Thu Jan 7 22:07:01 CST 2021
1200118 pass in on net1 from any to any head 300
Thu Jan 7 22:43:00 CST 2021
810 pass in on net1 from any to any head 300
Thu Jan 7 22:57:00 CST 2021
425 pass in on net1 from any to any head 300
Thu Jan 7 23:07:02 CST 2021
379 pass in on net1 from any to any head 300
The rule in /etc/ipf.conf for head 300:
pass in on net1 all head 300
block in from 127.0.0.0/8 to any group 300
block in from 192.168.10.66/32 to any group 300
block in from 0.0.0.0/0xff000000 to any group 300
WTF 1.2 million packets received between Jan 7 21:54:01
and Jan 7 22:07:01?
0 new messages