Skip to main content

Count of denied connections with iptables

In my iptables configurations, I generally allow all traffic I am interested in and deny the rest, logging anything that is denied.

I found that this can get a bit noisy with loads of connections to udp:137 and udp:500, etc. so I decided to deny the more common ports without logging. But which are the most common ports?

A typical log line looks like this:

Jan 12 09:42:01 b003 kernel: FAILSAFE -- DENY IN=bond0 OUT= MAC=00:26:b9:3d:fb:18:00:d0:c0:52:88:00:08:00 SRC=115.177.32.129 DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=22118 PROTO=TCP SPT=6643 DPT=20480 WINDOW=0 RES=0x00 ACK RST URGP=0

I wrote this perl one-liner to count no. of packets blocked per port:

perl -e 'while(<>) {if ($_ =~ /PROTO=([^ ]+).*DPT=([^ ]+)/) {$proto=$1 ; $port=$2; $count{"$proto:$port"}++}} foreach $key (sort { $count{$b} <=> $count{$a} } keys %count) {print "$key: $count{$key}\n"}' /var/log/messages | head -10

Sample output:

UDP:137: 226619
UDP:500: 107056
UDP:33436: 25244
UDP:33435: 22203
UDP:33437: 16035
TCP:20480: 10782
TCP:30080: 8291
UDP:33438: 8162
UDP:33439: 7268
UDP:33440: 5885

Labels:

Comments

Post a Comment

Popular posts from this blog

Python logging with rich - writing to stderr - plain output when writing to file

Rich is a Python library for writing rich text (with color and style) to the terminal, and for displaying advanced content such as tables, markdown, and syntax highlighted code. Rich provides RichHandler , a logging handler for python's logging module which will format and colorize text written by the module. However, RichHandler writes to stdout by default. More specifically, it writes to a rich Console object which, by default, writes to stdout. To make RichHandler write to stderr by default, you must pass in a Console object which has been configured to write to stderr: import logging from rich.console import Console from rich.logging import RichHandler DATEFMT = "%Y-%m- %d T%H:%M:%SZ" FORMAT = " %(message)s " logging . basicConfig( level = "NOTSET" , format = FORMAT, datefmt = DATEFMT, handlers = [RichHandler(console = Console(stderr = True ))], ) logger = logging . getLogger(__name__) logger . i...
Post a Comment
Read more

Fix python import order on save in vim with ruff and ale

My IDE of choice is vim. I use various tools to perform linting and code formatting, and configure them all with ALE  (the Asynchronous Lint Engine). After using several discrete tools ( black , isort , flake8 , etc) I have settled on using Ruff to do my python code formatting and linting. Here's the relevant fragment of my ALE config in my .vimrc: " ALE config let g :ale_fixers = { \ 'python' : [ 'ruff' , 'ruff_format' ], \} let g :ale_linters = { \ 'python' : [ 'ruff' ], \} let g :ale_python_ruff_use_global = 1 One of the last remaining wrinkles I had was getting Ruff to automatically sort import statements. Sorting imports is performed by the Ruff linter, not the formatter, which is documented here . The fix on the command line is to add an option, like this: ruff check --select I --fix The difficulty I had was getting this to happen in the editor when the file was saved. It turns out, all I needed to do was ...
Post a Comment
Read more

Escaping special characters in wget username or password

I recently offered to help out with the hosting of a WordPress  site. It’s currently hosted somewhere with no shell access – just ftp – and there are a lot of images to transfer. I quickly figured out I could use wget to mirror the site, using something like: wget -m ftp://username:password@example.com However, this broke in this case because the username for the site contained an @ character (the username was user@example.com ). Turns out the solution was to encode the special chars using HTML notation. This is the command that did the trick: wget -m ftp://user%40example.com:password@example.com
Post a Comment
Read more