[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Re: [cobaltfacts] Blocking Out The Noise/Script/FTP kids
- Subject: Re: [cobalt-users] Re: [cobaltfacts] Blocking Out The Noise/Script/FTP kids
- From: "PageKeeper Service" <host@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue Dec 3 08:44:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
----- Original Message -----
From: "Mailing List" <listonly@xxxxxxxxxxxxxxxxxxxx>
To: <cobaltfacts@xxxxxxxxxxxxxxxxxxxx>; "Mailing List"
<listonly@xxxxxxxxxxxxxxxxxxxx>
Cc: "Cobalt Users" <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, December 03, 2002 7:17 AM
Subject: [cobalt-users] Re: [cobaltfacts] Blocking Out The Noise/Script/FTP
kids
> On 12/3/02 7:12 AM, "Mailing List" wrote:
>
> > If I have a whole class say from 216.75.160.0 - 219.75.191.255 (Yes this
is
> > an offender) what do I place in the hosts.deny?? Would this work?
> >
> > FTP: 21.75.160.0/19
>
> Man did I screw that up!
>
> If I have a whole class say from 216.75.160.0 - 216.75.191.255 (Yes this
is
> an offender) what do I place in the hosts.deny?? Would this work?
>
> FTP: 216.75.160.0/19
> --
> Thanks!!
> David Thurman
> List Only at Web Presence Group Net
>
>
This seems to work good on the raq4 for INET services::
hosts.deny file put this in:: (This will deny everyone)
ALL: ALL
Then in the hosts.allow I put in the isp of who I allow to use INET services
that are tcp wrapped.
The first entry might be your network addy...(this lets in, you and yours)
ALL: 127.0.0.0
ALL: 123.123.123.123
ALL: part or some isp string...
This has helped a ton with the ftp attacks.. Then check for any errors.
/home/log/httpd... and /var/log...etc..
In case you blocked something wrong..
No reboot or restart is needed as the hosts.files are read only asii text
files.
Then a perl script logs client IP's or ISP's (for the hosts.allow)
and bad stuff that is blocked is listed on a web page in case someone
gets locked out by mistake or don't get their dose of spam for the day,
as the hosts... files have no affect on httpd access... and you may need to
block further script kiddies
or cgi scripts using other methods.
The proof its working!
Now you will see this in a cat /var/log/secure | grep refused command::
Dec 3 09:48:56 www in.proftpd[14099]: refused connect from 81.1.194.11
Dec 3 09:48:56 www in.proftpd[14100]: refused connect from 81.1.194.11
Dec 3 09:48:56 www in.proftpd[14101]: refused connect from 81.1.194.11
Dec 3 09:48:56 www in.proftpd[14102]: refused connect from 81.1.194.11
Dec 3 09:48:57 www in.proftpd[14093]: refused connect from 81.1.194.11
Dec 3 09:48:58 www in.proftpd[14092]: refused connect from 81.1.194.11
Dec 3 09:48:58 www in.proftpd[14094]: refused connect from 81.1.194.11
Dec 3 09:48:58 www in.proftpd[14095]: refused connect from 81.1.194.11
Dec 3 09:48:58 www in.proftpd[14097]: refused connect from 81.1.194.11
Dec 3 09:48:58 www in.proftpd[14096]: refused connect from 81.1.194.11
Dec 3 09:48:58 www in.proftpd[14098]: refused connect from 81.1.194.11
Dec 3 09:55:29 www in.proftpd[14393]: refused connect from 81.1.194.11
after a common kiddie probe... instead of the old message that will scare
the hair off of you..
Like they logged in and had a late night party that lasted all day..
tail -200 /var/log/xferlog as root
This command shows who really did a ftp login and transfer or delete.
tail -200 /var/log/secure
This command shows some other info too that relates..
My 2 cents worth..
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>