Background:
I am using ATTBI/COMCAST cable service for internet access.
I have a RedHat 9 server that shorewall is protecting, and I use SNORT and
ACID to alert me to problems.
I see several WEB-IIS ("code red" and misc. other junk) entries that
fills
my Apache logs.
I''ve been using shorewall to blacklist these IP''s.
I now have 62 IP''s that are all on ATTBI/COMCAST network that are
blacklisted for WEB-IIS reasons.
Question:
If these systems are using DHCP (I believe that there are), then is there
any way to block them?
...does this make any sense?
Thank-you
-Me
*************************************************************************
This document and any files transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. This communication may contain material protected by the
attorney-client privilege or other privileges or protections from
discovery, such as the physician-patient privilege, or a peer review
privilege, such as California Evidence Code Section 1157. If you are not
the intended recipient or the individual responsible for delivering the
document to the intended recipient, please be advised that you have
received this document in error and that any use, dissemination,
forwarding, printing, or copying of this document is strictly prohibited.
If you have received this document in error, please notify the sender
immediately, and destroy all copies of the document.
*************************************************************************
> I see several WEB-IIS ("code red" and misc. other junk) entries that > fills my Apache logs. > > I''ve been using shorewall to blacklist these IP''s. > > I now have 62 IP''s that are all on ATTBI/COMCAST network that are > blacklisted for WEB-IIS reasons. > > If these systems are using DHCP (I believe that there are), then is > there any way to block them?Not really -- blacklisting a dynamically-assigned IP address for more than an day or so is a waste of time and CPU cycles IMO. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline \ http://www.shorewall.net Washington, USA \ teastep@shorewall.net
At 14:44 11/4/2003, Tom Eastep wrote:> > If these systems are using DHCP (I believe that there are), then is > > there any way to block them? > >Not really -- blacklisting a dynamically-assigned IP address for more than >an day or so is a waste of time and CPU cycles IMO.Might I suggest to this particular reader the Micro-HOWTO I wrote on using PortSentry to do temporary blocking of nuisances? ftp://www.shorewall.net/pub/shorewall/contrib/PortsentryHOWTO.txt Also, Tom, would you be so kind as to edit that file when you get back from vacation? Two changes: 1. Replace all occurrences of "rpaiz@simpaticus.com" with "email@domain.com" 2. Replace "DROP_INTERVAL_DAYS=5" with "DROP_INTERVAL_DAYS=2" The first is because about 15 different systems have started notifying me about things, instead of notifying their owners. The second is in response to your advice not to block people for too long, and 2 days has worked well for me. Thanks! -- Rodolfo J. Paiz rpaiz@simpaticus.com
--- "Rodolfo J. Paiz" <rpaiz@simpaticus.com> wrote:> 1. Replace all occurrences of "rpaiz@simpaticus.com" with > "email@domain.com"Even at the top of the top of the commented parts of your scripts?> 2. Replace "DROP_INTERVAL_DAYS=5" with > "DROP_INTERVAL_DAYS=2"> The first is because about 15 different systems have started > notifying me > about things, instead of notifying their owners.Your talking about the part the script is executing correct Rodolfo?? Thanks, JBanks __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
At 16:40 11/5/2003, Joshua Banks wrote:>--- "Rodolfo J. Paiz" <rpaiz@simpaticus.com> wrote: > > 1. Replace all occurrences of "rpaiz@simpaticus.com" with > > "email@domain.com" > >Even at the top of the top of the commented parts of your scripts?My apologies, and allow me to be more specific: * On line 61 and 62 of that file, it says: # portsentry.temp.block # Rodolfo J. Paiz <rpaiz@simpaticus.com> # version 2003.07.01 Keep that one, since it allows someone with questions or feedback to contact me. * On line 83 it says: NOTIFY_EMAIL="rpaiz@simpaticus.com> Please (PLEASE) change this one. Seriously, over 15 machines owned by someone else have been sending me notifications that they blocked X.Y.Z.> > 2. Replace "DROP_INTERVAL_DAYS=5" with > > "DROP_INTERVAL_DAYS=2"Tom pointed out that having too many rules in your iptables ruleset can slow things down somewhat, and a five-day block had my "badlist" at around 60 hosts. Reducing the interval to 2 days has not caused the amount of attacks I do process to increase more than a tiny bit, and the badlist is down to around 18 people on my home firewall. Don''t know if there will be a speed difference yet, but I tend to place a lot of faith in Tom''s suggestions.> > The first is because about 15 different systems have started > > notifying me > > about things, instead of notifying their owners. > >Your talking about the part the script is executing correct Rodolfo??I''m talking about the command that sends an email to notify the administrator that a bad guy was blocked, which starts on line 100. Since NOTIFY_EMAIL is set to my address, a bunch of people have their systems working, but their systems are telling ME about everything that happens. Oops. Really, the only time my address NEEDS to be changed is on line 83. Also, I will be writing this up a little more formally, and making some tiny changes to this script, in the next couple of days. I will post the URL to the exact file once I have it, OK? -- Rodolfo J. Paiz rpaiz@simpaticus.com
--- "Rodolfo J. Paiz" <rpaiz@simpaticus.com> wrote:> Also, I will be writing this up a little more formally, and making > some > tiny changes to this script, in the next couple of days. I will post > the > URL to the exact file once I have it, OK?Haven''t installed "Port Sentry" yet but I''m going to be getting Comcast cable in my area finally and I believe that (from the sounds of it so far) "Port Sentry" is going to be my friend. I''ll do my homework Rodolfo. Thanks for the response. Joshua Banks __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree