Re: [cobalt-users] How to block

[Denny Jodeit <tech@xxxxxxxxx>]

Bob G7 wrote:

> I'm getting hammered by these in my /var/log/httpd/access log:
>
> www.domain.net adsl-65-70-187-38.dsl.rcsntx.swbell.net - -
> [13/Oct/2002:12:34:45 -0500] "GET /s
> cripts/root.exe?/c+dir HTTP/1.0" 302 228 "-" "-"
> www.domain.net adsl-65-70-187-38.dsl.rcsntx.swbell.net - -
> [13/Oct/2002:12:34:45 -0500] "GET /M
> SADC/root.exe?/c+dir HTTP/1.0" 302 226 "-" "-"
> www.domain.net adsl-65-70-187-38.dsl.rcsntx.swbell.net - -
> [13/Oct/2002:12:34:45 -0500] "GET /c
> /winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 236 "-" "-"
> www.domain.net adsl-65-70-187-38.dsl.rcsntx.swbell.net - -
> [13/Oct/2002:12:34:46 -0500] "GET /d
> /winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 236 "-" "-"
> www.domain.net adsl-65-70-187-38.dsl.rcsntx.swbell.net - -
> [13/Oct/2002:12:34:46 -0500] "GET /s
> cripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 252 "-" "-"
>
> I'm talking hundreds on entries like this. How can I block this ip address,
> the log file is getting huge, there non-stop hitting the server.
>
> I'm thinking in hosts.deny, but don't know the correct syntax to do it.
>
> Thanks
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> .
>
>  
Here's a sample of mine


#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#



ALL: 200.xxx.xxx.xxx
ALL: 212.xxx.xxx.xxx
ALL: 209.xxx.xxx.xxx