[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Block access to incoming ip address
- Subject: Re: [cobalt-users] Block access to incoming ip address
- From: Ryan Verner <xfesty@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri Jan 2 02:29:01 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
On 02/01/2004, at 8:39 PM, John K Mitchell wrote:
Hi there,
I've tried to find a solution for my question in the archives but
either I'm not looking with the right query or there is nothing
matching what I want.
I have a Raq4 with 2 IP addresses assigned to it. The first address
(lets say 111.222.333.444) is used for sites and the second address
(say 111.222.333.555) is used for a secondary nameserver.
Well, for one,
I'm noticing a lot of attempts to get into the server via ftp and
since these are all scans of addresses (ie logsentry shows the access
to the main IP address and then a second or so later to the other IP
address) I would like to block access from the offenders. I wondered
if I could do this by trapping anyone accessing the second ip address
and block them via IPCHAIN / host.deny.
Nice concept, but there's a major flaw with doing stuff like this; if
somebody 'spoofs' access to that IP from legitimate addresses, you're
going to block access to them. This could also occur by accident.
If you insist, though, iptables is much more suited for doing this kind
of stuff. You can put the 550 software on a RaQ4, and that certainly
has everything you'd need to do this. The exact ruleset I don't know
of the top of my head, but you'd be able to find something by googling.
With ipchains, you probably could script up something that tail's a
log, and adds a ipchains deny rule for every matching IP it finds.
Again, I forsee this whole concept being disastrous, though.
R
--
linux.conf.au 2004 - Adelaide, Australia
http://lca2004.linux.org.au/
"Don't go, and you'll regret it!"