Hi, I''ve recently blocked a bunch of IP addresses from a country with a red flag, one big golden star in the top left corner and 4 smaller stars next to it, building the shape of a semi circle. Many rules in /etc/shorewall/blacklist are valid and effective, like e.g. 208.115.192.0/18 216.245.192.0/19 221.200.0.0/14 I can see blacklist logs in syslog. But I have one rule that doesn''t block requests: 58.208.0.0/12 I have for sure restarted shorewall (using Shorewall-4.4.11.2), but I still get port scans and http requests from 58.218.199.227 An iptables -L -n shows the entry in the blacklist: Chain blacklog (34 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:blacklst:DROP:'' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain blacklst (14 references) target prot opt source destination blacklog all -- 58.208.0.0/12 0.0.0.0/0 I have for sure equipped all external interfaces with the blacklist option: net ppp0 - blacklist net ppp1 - blacklist net ippp1 - blacklist net ippp0 - blacklist net tun1 - blacklist net tun2 - blacklist vpn tun3 - blacklist loc eth0 detect loc eth1 detect loc eth2 detect And BTW, the 58.208... reference is the only one in iptables -L -n. How can I for sure block that IP? I thought, it was included in the above rule. Do I have to worry about my kernel being tainted? Thanx for any hints Rergards Michael ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
On Jan 30, 2012, at 1:29 PM, Michael Kress wrote:> Hi, > > I''ve recently blocked a bunch of IP addresses from a country with a red > flag, one big golden star in the top left corner and 4 smaller stars > next to it, building the shape of a semi circle. > Many rules in /etc/shorewall/blacklist are valid and effective, like e.g. > 208.115.192.0/18 > 216.245.192.0/19 > 221.200.0.0/14 > I can see blacklist logs in syslog. > > But I have one rule that doesn''t block requests: > 58.208.0.0/12 > > I have for sure restarted shorewall (using Shorewall-4.4.11.2), but I > still get port scans and http requests from > 58.218.199.227Where are you seeing those requests? Can you show us an example? -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
On 30.01.2012 22:55, Tom Eastep wrote:> On Jan 30, 2012, at 1:29 PM, Michael Kress wrote: > >> >> But I have one rule that doesn''t block requests: >> 58.208.0.0/12 >> >> I have for sure restarted shorewall (using Shorewall-4.4.11.2), but I >> still get port scans and http requests from >> 58.218.199.227 > > Where are you seeing those requests? Can you show us an example? > >found it e.g. in access_log of apache httpd which also has been restarted: 58.218.199.227 - - [30/Jan/2012:10:17:03 +0100] "GET http://www.hardjob.net/proxyheader.php HTTP/1.1" 404 293 58.218.199.227 - - [30/Jan/2012:12:13:49 +0100] "GET http://www.mr179.com/proxyheader.php HTTP/1.1" 404 291 58.218.199.227 - - [30/Jan/2012:18:06:00 +0100] "GET http://www.sharkspear.info/proxyheader.php HTTP/1.1" 404 297 58.218.199.227 - - [30/Jan/2012:20:05:34 +0100] "GET http://cobebizs.com/proxyheader.php HTTP/1.1" 404 290 58.218.199.250 - - [30/Jan/2012:21:17:43 +0100] "GET http://cobebizs.com/proxyheader.php HTTP/1.1" 404 290 58.218.199.227 - - [30/Jan/2012:22:02:42 +0100] "GET http://cobebizs.com/proxyheader.php HTTP/1.1" 404 290 I''m trying now to put in 58.218.199.227/32 58.218.199.250/32 as a remedy - we''ll see. Regards Michael ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 30.01.2012 22:29, Michael Kress wrote:> I have for sure equipped all external interfaces with the blacklist option: > net ppp0 - blacklist > net ppp1 - blacklist > net ippp1 - blacklist > net ippp0 - blacklist > net tun1 - blacklist > net tun2 - blacklist > vpn tun3 - blacklist > loc eth0 detect > loc eth1 detect > loc eth2 detect > >ok, I think I''ve found the configuration fault ... the requests obviously came in over eth0 (I''ve told apache to also log the local interface, but there was no request yet since then, but either that trap or syslog (blacklisted packet) will tell). But I''ve made similar tests and those were successful. In my case, connections that come over eth0, come from outside on my home dsl router and then get forwarded to eth0. The others are different vpn channels, and for THOSE, the blacklists ARE active. That should be it. Thanks & regards Michael ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 31.01.2012 01:39, Michael Kress wrote:> On 30.01.2012 22:29, Michael Kress wrote: >> loc eth0 detect >> loc eth1 detect >> loc eth2 detect >> >> > > ok, I think I''ve found the configuration fault ... the requests > obviously came in over eth0 (I''ve told apache to also log the local > interface, but there was no request yet since then, but either that > trap or syslog (blacklisted packet) will tell). But I''ve made similar > tests and those were successful. In my case, connections that come > over eth0, come from outside on my home dsl router and then get > forwarded to eth0. The others are different vpn channels, and for > THOSE, the blacklists ARE active. > That should be it.oops, sorry, and the ACTUAL solution is, to also blacklist the ethx devices, i.e. loc eth0 detect blacklist loc eth1 detect blacklist loc eth2 detect blacklist Regards Michael ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d