From owner-freebsd-bugs Thu Feb 20 21: 0: 8 2003 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B03FE37B401 for ; Thu, 20 Feb 2003 21:00:06 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58A7243F85 for ; Thu, 20 Feb 2003 21:00:06 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h1L506NS046612 for ; Thu, 20 Feb 2003 21:00:06 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h1L506oC046611; Thu, 20 Feb 2003 21:00:06 -0800 (PST) Date: Thu, 20 Feb 2003 21:00:06 -0800 (PST) Message-Id: <200302210500.h1L506oC046611@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Alan Batie Subject: Re: misc/48444: change to count connection attempts instead of listing them Reply-To: Alan Batie Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR misc/48444; it has been noted by GNATS. From: Alan Batie To: Giorgos Keramidas Cc: bug-followup@freebsd.org Subject: Re: misc/48444: change to count connection attempts instead of listing them Date: Thu, 20 Feb 2003 20:57:30 -0800 --6Nae48J/T25AfBN4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 21, 2003 at 04:26:24AM +0200, Giorgos Keramidas wrote: > : # sh listports.sh | head -6 > : RANK HITS PORT > : 1 32 137 >=20 > Does this look like an interesting addition to periodic/security too? I'm not familiar with ipfilter's output, but if possible, I would recommend ranking by source-ip:port, so that you can tell if someone in particular is hammering you. On the other hand, a DDOS attempt would be better shown by an aggregate, and if you see a high count, you can always go look at the log for the addresses, so I'll leave it to you guys which way you think is best... --=20 Alan Batie ______ alan.batie.org Me alan at batie.org \ / www.qrd.org The Triangle PGPFP DE 3C 29 17 C0 49 7A \ / www.pgpi.com The Weird Numbers 27 40 A5 3C 37 4A DA 52 B9 \/ spamassassin.taint.org NO SPAM! --6Nae48J/T25AfBN4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iQCVAwUBPlWxuov4wNua7QglAQGTfwP8Cp2oepihL0VrR+VRq57t+/HnivHybL3C IFyJBbUL5Pu5q+aHgFy1F8iheRQDRh9ppM1ZGhjrs8tWxtnvxt1P+bIAyeG11uo8 Z9B9kzBTS5fENNFxphCU3tP+9H36TZySWGZyNR+27Oz9VYdkzQKPzsmN+PaQnFQM oi2egTKWK8Q= =zrx4 -----END PGP SIGNATURE----- --6Nae48J/T25AfBN4-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message