[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Block access to incoming ip address
- Subject: Re: [cobalt-users] Block access to incoming ip address
- From: John K Mitchell <johnm@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri Jan 2 02:53:01 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Hi Ryan,
Thanks for the prompt reply.
I've tried to find a solution for my question in the archives but
either I'm not looking with the right query or there is nothing
matching what I want.
I have a Raq4 with 2 IP addresses assigned to it. The first address
(lets say 111.222.333.444) is used for sites and the second address
(say 111.222.333.555) is used for a secondary nameserver.
Well, for one,
I'm noticing a lot of attempts to get into the server via ftp and
since these are all scans of addresses (ie logsentry shows the access
to the main IP address and then a second or so later to the other IP
address) I would like to block access from the offenders. I wondered
if I could do this by trapping anyone accessing the second ip address
and block them via IPCHAIN / host.deny.
Nice concept, but there's a major flaw with doing stuff like this; if
somebody 'spoofs' access to that IP from legitimate addresses, you're
going to block access to them. This could also occur by accident.
But surely the same thing applies if PortSentry traps and blocks an IP
address? It is for this reason that the firewall is restarted
periodically to clear down the IPCHAIN rules that are added by
PortSentry and the host.deny file is cleared down (well most of it -
there are a few records that are kept in the file permanently)
If you insist, though, iptables is much more suited for doing this kind
of stuff. You can put the 550 software on a RaQ4, and that certainly
has everything you'd need to do this. The exact ruleset I don't know
of the top of my head, but you'd be able to find something by googling.
Can the 550 software be loaded remotely, the server is about 100 miles
away in a farm?
With ipchains, you probably could script up something that tail's a
log, and adds a ipchains deny rule for every matching IP it finds.
Again, I forsee this whole concept being disastrous, though.
I see what the problem could be here and appreciate it being pointed
out, it's just that having been hacked about 6 months ago I get a little
paranoid about people trying to get into the server. And before anyone
asks, yes the server was fully patched at the time and no I do not know
how they got in.
Cheers
John
--
John K Mitchell
Forest Software Ltd
Web sites for the smaller business and charity.