I am tired of getting bombed with virus attempts from 3 or 4 ip's. Is there a way to deny *ALL* access from specific ip in SuSEfirewall2 or with apache? -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org
* Patrick Shanahan;
I am tired of getting bombed with virus attempts from 3 or 4 ip's. Is there a way to deny *ALL* access from specific ip in SuSEfirewall2 or with apache?
You can use the SuSEfirewall2-custom look after fw_custom_before_port_handling() portion -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
* Togan Muftuoglu
* Patrick Shanahan;
on 19 Mar, 2003 wrote: I am tired of getting bombed with virus attempts from 3 or 4 ip's. Is there a way to deny *ALL* access from specific ip in SuSEfirewall2 or with apache?
You can use the SuSEfirewall2-custom look after fw_custom_before_port_handling() portion
Thanks, but I guess I do not know how to write the script as this does not work: iptables -A INPUT -j DENY -d 24.208.133.143 -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org
On Wednesday 19 March 2003 20:06, Patrick Shanahan wrote:
* Togan Muftuoglu
[03-19-03 14:36]: * Patrick Shanahan;
on 19 Mar, 2003 wrote: I am tired of getting bombed with virus attempts from 3 or 4 ip's. Is there a way to deny *ALL* access from specific ip in SuSEfirewall2 or with apache?
You can use the SuSEfirewall2-custom look after fw_custom_before_port_handling() portion
Thanks, but I guess I do not know how to write the script as this does not work: iptables -A INPUT -j DENY -d 24.208.133.143
-- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org
Try Guarddog at http://www.simonzone.com/software/guarddog/ Seems to work for me Tom
* Patrick Shanahan (WideGlide@MyRealBox.com) [030319 12:01]:
Thanks, but I guess I do not know how to write the script as this does not work: iptables -A INPUT -j DENY -d 24.208.133.143
iptables -A INPUT -s the_bad_ip -d 0/0 --proto all -j DROP -- -ckm
* Christopher Mahmood
* Patrick Shanahan (WideGlide@MyRealBox.com) [030319 12:01]:
Thanks, but I guess I do not know how to write the script as this does not work: iptables -A INPUT -j DENY -d 24.208.133.143
iptables -A INPUT -s the_bad_ip -d 0/0 --proto all -j DROP
tks, but had problems. Made changes to both files, SuSEfirewall2 to use the SuSEfirewall2-custom, and added the iptables line above to SuSEfirewall2-custom. ... rcSuSEfirewall2 reload failed The line in SuSEfirewall2 to load the custom file is not correct. Changed from: /etc/sysconfig/SuSEfirewall2-custom to: /etc/sysconfig/scripts/SuSEfirewall2-custom I did *not* put the address of the custom file in SuSEfirewall2, it was a commented line. Just happened to notice the difference. tks again, will report success. 24.208.133.143 tries to access every hour, that will be in about 20 minutes. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org
* Christopher Mahmood
* Patrick Shanahan (WideGlide@MyRealBox.com) [030319 12:01]:
Thanks, but I guess I do not know how to write the script as this does not work: iptables -A INPUT -j DENY -d 24.208.133.143
iptables -A INPUT -s the_bad_ip -d 0/0 --proto all -j DROP
This is *not* working. 24.208.133.143 is still getting thru. excerpt from /etc/sysconfig/scripts/SuSEfirewall2-custom: fw_custom_before_port_handling() { # these rules will be loaded after the anti-spoofing and icmp handling # and after the input has been redirected to the input_XXX and # forward_XXX chains and some basic chain-specific anti-circumvention # rules have been set, # but before any IP protocol or TCP/UDP port allow/protection rules # will be set. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall2 generated rules are hit. iptables -A INPUT -s 24.198.198.42 -d 0/0 --proto all -j DROP iptables -A INPUT -s 24.208.133.143 -d 0/0 --proto all -j DROP iptables -A INPUT -s 24.208.150.4 -d 0/0 --proto all -j DROP true } iptables -L yealds: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere LOG all -- loopback/8 anywhere LOG level warning tcp-options ip-options prefix uSE-FW-DROP-ANTI-SPOOFING ' LOG all -- anywhere loopback/8 LOG level warning tcp-options ip-options prefix uSE-FW-DROP-ANTI-SPOOFING ' DROP all -- loopback/8 anywhere DROP all -- anywhere loopback/8 LOG all -- 192.168.0.2 anywhere LOG level warning tcp-options ip-options prefix uSE-FW-DROP-ANTI-SPOOFING ' DROP all -- 192.168.0.2 anywhere input_ext all -- anywhere 192.168.0.2 DROP all -- anywhere 192.168.0.255 DROP all -- anywhere 255.255.255.255 LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix uSE-FW-ILLEGAL-TARGET ' DROP all -- anywhere anywhere DROP all -- ptd-24-198-198-42.maine.rr.com anywhere DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- dhcp024-208-150-004.insight.rr.com anywhere ...... firewall log: Mar 19 20:43:08 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=55047 DF PROTO=TCP SPT=4199 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) What to do next ?? -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org
participants (4)
-
Christopher Mahmood
-
Patrick Shanahan
-
Togan Muftuoglu
-
Tom Wesley