In my iptables configurations, I generally allow all traffic I am interested in and deny the rest, logging anything that is denied.

I found that this can get a bit noisy with loads of connections to udp:137 and udp:500, etc. so I decided to deny the more common ports without logging. But which are the most common ports?

A typical log line looks like this:

Jan 12 09:42:01 b003 kernel: FAILSAFE -- DENY IN=bond0 OUT= MAC=00:26:b9:3d:fb:18:00:d0:c0:52:88:00:08:00 SRC= DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=22118 PROTO=TCP SPT=6643 DPT=20480 WINDOW=0 RES=0x00 ACK RST URGP=0

I wrote this perl one-liner to count no. of packets blocked per port:

perl -e 'while(<>) {if ($_ =~ /PROTO=([^ ]+).*DPT=([^ ]+)/) {$proto=$1 ; $port=$2; $count{"$proto:$port"}++}} foreach $key (sort { $count{$b} <=> $count{$a} } keys %count) {print "$key: $count{$key}\n"}' /var/log/messages | head -10

Sample output:

UDP:137: 226619
UDP:500: 107056
UDP:33436: 25244
UDP:33435: 22203
UDP:33437: 16035
TCP:20480: 10782
TCP:30080: 8291
UDP:33438: 8162
UDP:33439: 7268
UDP:33440: 5885

Leave a reply

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>