[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Block access to incoming ip address
- Subject: [cobalt-users] Block access to incoming ip address
- From: John K Mitchell <johnm@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri Jan 2 02:10:01 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Hi there,
I've tried to find a solution for my question in the archives but either
I'm not looking with the right query or there is nothing matching what I
want.
I have a Raq4 with 2 IP addresses assigned to it. The first address
(lets say 111.222.333.444) is used for sites and the second address (say
111.222.333.555) is used for a secondary nameserver.
I'm noticing a lot of attempts to get into the server via ftp and since
these are all scans of addresses (ie logsentry shows the access to the
main IP address and then a second or so later to the other IP address) I
would like to block access from the offenders. I wondered if I could do
this by trapping anyone accessing the second ip address and block them
via IPCHAIN / host.deny.
I know that I could block access to the second IP address (on eth0:1)
via IPCHAINS (allowing access to port 53 first) but this would still
allow the scans to take place - for example a couple of days ago I had
someone that tried several user names against both addresses and it
would be good to be able to "make the server disappear" in these
circumstances.
The server is running PortSentry / Logcheck and a set of IPCHAIN rules
that seems (fingers crossed) to work.
Can anyone help and point me in the right direction?
Cheers
John
--
John K Mitchell
Forest Software Ltd
Web sites for the smaller business and charity.