Re: [cobalt-users] China Attacks Question

[flash22@xxxxxxx]

On Sun, 29 Apr 2001, Wayne Sagar wrote:

> ALL: 202.96.0.0/255.240.0.0
> 
> 
> I'm still seeing new hosts added to the list by portsentry from this
> particular block of addresses... specifically this one just now hitting
> port 98 202.107.226.92 shouldn't they be showing as "already blocked
> ignoring" rather than added?
> Is the their.host.ip.addy/their.host.ip.addy format correct in hosts.deny
> for adding a range of ip addresses or not? 

uhh.you posted in html...

Keep in mind, hosts.deny / inetd , just prevents those addresses from
making connections to services, it doesn't prevent the machine from
getting the packets, and it doesn't prevent portsentry from seeing
them. Basiclly, if someone from that address tried to telnet to your
machine you would refuse to connect, but you would still see the request
to connect...

If you want to really not see the packets, you have to send them 
elsewhere, eg via route reject, or ipchains...

ps: it's entirely possible that portsentry hasn't the slightest clue
what's in hosts.deny before it starts up, it keeps it's own list of
addresses it has added....

I put the netmask list together cause the rev asked for it, not
necessarily cause it was an ideal solution ;)

particularly, as has been pointed out, not all services use it for access
control...eg apache..

you could i suppose convert the list into static null routes...the format
is similar...

ALL: 202.96.0.0/255.240.0.0

becomes

route add -net 202.96.0.0 netmask 255.240.0.0 reject

this will cause packets from that ip address range to be forwarded to
'nowhere' and even portsentry won't see them (usually)

(You will have to save that as a script and rerun on reboot)

Note that doing this also means you won't know if you are getting
flooded/bombed etc from that address...you won't see a thing...

gsh