Control shorewall logging

NethServer Version: 7.8.2003
Module: shorewall
We have an idiot that has been trying to crack a port 33895 for days. They have not succeeded but the issue is the firewall.log is growing and messages on the main console. So far nothing like setting the verbosity of the log has worked. So it is great the firewall is withstanding the attack.

How can we stop the log issue? TIA

Nov 28 12:23:47 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=80.245.244.38 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=2539 DF PROTO=TCP SPT=52735 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0 

Nov 28 12:24:13 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=92.255.12.142 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=4835 DF PROTO=TCP SPT=63535 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 28 12:24:16 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=92.255.12.142 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=648 DF PROTO=TCP SPT=63535 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 28 12:24:19 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=80.245.244.38 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=21052 DF PROTO=TCP SPT=54602 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 28 12:24:46 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=92.255.12.142 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=20723 DF PROTO=TCP SPT=64885 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 28 12:24:49 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=92.255.12.142 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=16845 DF PROTO=TCP SPT=64885 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 28 12:25:19 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=92.255.12.142 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=4810 DF PROTO=TCP SPT=49853 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 28 12:25:22 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=92.255.12.142 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=815 DF PROTO=TCP SPT=49853 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 28 12:25:24 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=80.245.244.38 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=26265 DF PROTO=TCP SPT=58407 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 28 12:25:52 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=92.255.12.142 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=20747 DF PROTO=TCP SPT=51194 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 28 12:25:53 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=80.245.244.38 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=1848 DF PROTO=TCP SPT=60310 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 28 12:25:55 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=92.255.12.142 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=16373 DF PROTO=TCP SPT=51194 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 28 12:25:56 srv-sb kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=52:13:4b:32:63:21:0c:9d:92:4d:94:78:08:00 SRC=80.245.244.38 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=13001 DF PROTO=TCP SPT=60310 DPT=33895 WINDOW=8192 RES=0x00 SYN URGP=0

Quick and dirty trick is to create a new service object (for instance, fakerdp port TCP 33895) and use it in a firewall rule (from RED to firewall/any, service fakerdp, drop).

On system settings there are options for logs (compress logs…)

Same firewall messages or different ones?

1 Like

Maybe helpful:

1 Like

Thank you @mrmarkuz. The port they were trying to get in on was one we had been using for RDP to a LAN workstation. That noise dropped once we closed the router port. Great, but then to switched SRC address and DPT but it was a whole lot quieter than it was.
Have added the printk adjustment and if anyone is curious what the numbers are

```
                     CUR  DEF  MIN  BTDEF
0 - emergency        x              x                        
1 - alert            x         x    x
2 - critical         x              x
3 - error            x              x
4 - warning          x    x         x
5 - notice           x              x
6 - informational    V              V
7 - debug            
```

Thank you for the hints.

1 Like