I have ipfilter set up on a SCO UNIX system and have scripted lock_sshd that monitors all ssh connection attempts and blocks failed log in for hackers scanning public IP for an open SSH port to hack. Lock_sshd add a rule to the /etc/ipf.conf file for the offending IP and generates a syslog entry for the block:
Jan 7 22:07:01 host1 SSHCHECK: Added ipf block on port 22 from 185.143.223.136 for SSH abuse
As part of the reporting lock_sshd populates /var/adm/logipf file from the command:
date >> /var/adm/logipf
/etc/ipfstat -i -h 2>/dev/null | grep -v "^0 " >> /var/adm/logipf
echo >> /var/adm/logipf
Recently I see an appalling number appearing in logipf:
Thu Jan 7 21:24:01 CST 2021
1254 pass in on net1 from any to any head 300
Thu Jan 7 21:33:04 CST 2021
276 pass in on net1 from any to any head 300
Thu Jan 7 21:54:01 CST 2021
515 pass in on net1 from any to any head 300
Thu Jan 7 22:07:01 CST 2021
1200118 pass in on net1 from any to any head 300
Thu Jan 7 22:43:00 CST 2021
810 pass in on net1 from any to any head 300
Thu Jan 7 22:57:00 CST 2021
425 pass in on net1 from any to any head 300
Thu Jan 7 23:07:02 CST 2021
379 pass in on net1 from any to any head 300
The rule in /etc/ipf.conf for head 300:
pass in on net1 all head 300
block in from
127.0.0.0/8 to any group 300
block in from
192.168.10.66/32 to any group 300
block in from
0.0.0.0/0xff000000 to any group 300
WTF 1.2 million packets received between Jan 7 21:54:01
and Jan 7 22:07:01?