best method to block ip block
Hi, I want to block all kinds of protocol requests coming from an isp's dialup users since I had enough Superscan pings, icmp +++ath0 attacks the nmap other sorts of tools to scan my ip and also not to forget to mention the back office and other trojan client to server, server to client traffic hitting my firewall. Although these requests are denied at the firewall is there a better way of stopping this. The ip block I want to filter is as follows xxx.156.130.1 to xxx.156.191.255 -- Togan Muftuoglu
Hi, On 29-Jul-01 Togan Muftuoglu wrote:
Hi,
I want to block all kinds of protocol requests coming from an isp's dialup users since I had enough Superscan pings, icmp +++ath0 attacks the nmap other sorts of tools to scan my ip and also not to forget to mention the back office and other trojan client to server, server to client traffic hitting my firewall. Although these requests are denied at the firewall is there a better way of stopping this. The ip block I want to filter is as follows
xxx.156.130.1 to xxx.156.191.255
you may want to use return-rst for this. return-rst needs netlink device support compiled into your kernel (say "Y" to CONFIG_NETLINK and CONFIG_IP_FIREWALL_NETLINK in your kernel config and create the device with mknod -m 600 /dev/netlink c 36 3 if it isn't already present). A specially designed ipchains line would then copy the first 128 bytes to the netlink device and from there to return-rst. A typical return-rst rule would look like this: ipchains -A input -p tcp -y -o 128 -j DENY -s <ip or ip-block of badhost> -d <ip of your server> Note the -o 128 which copies the first 128 bytes of the connection to the netlink device. Be sure to use DENY instead of REJECT, as REJECT sends its own ICMP error message. Thus, if you get portscanned or somebody tries to open a connection from a black-listed ip, your firewall will send back RSTs (resets) instead of sending ICMP error messages or dropping the packet. This, for any attacker or unauthorized client, looks like there are no ports open/services offered on your host, which greatly helps to reduce bandwith usage and to increase security. I used to block some Korean netblocks that way because of excessive cracker activity. You can get return-rst from http://net-security.org/cgi-bin/file.cgi?return-rst-1.1.tar.gz .
Togan Muftuoglu
--- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux ---
Hi there! since I installed SuSE 7.2 on my systems, all sorts of connections are made via SSL. Of course this is a very good idea, and something I intended, but it also leads to a problem. Many network connections I need to make fail because the peer is unable to use SSL, and I can't find out how to turn off SSL on those connections. I do want to use SSL with machines that are capable of SSL, but I also need to make non-SSL connections from time to time to get e-mail off an ancient VAX, to /dcc chat a friend in irc, that sort of thing... I've been fiddling with openssl.cnf using the accompanying docs, to try and disable SSL for particular connections but so far to no avail. Can someone point me in the right direction? Thanks! Yuri. -------------------------------------------------------------------------- Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : robbers@rulsfb.leidenuniv.nl Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. --------------------------------------------------------------------------
On Tue, Jul 31, 2001 at 02:32:08AM +0200, Yuri Robbers wrote:
since I installed SuSE 7.2 on my systems, all sorts of connections are made via SSL. Of course this is a very good idea, and something I intended, but it also leads to a problem. Many network connections I need to make fail because the peer is unable to use SSL, and I can't find out how to turn off SSL on those connections.
I do want to use SSL with machines that are capable of SSL, but I also need to make non-SSL connections from time to time to get e-mail off an ancient VAX, to /dcc chat a friend in irc, that sort of thing...
I've been fiddling with openssl.cnf using the accompanying docs, to try and disable SSL for particular connections but so far to no avail. Can someone point me in the right direction?
openssl.cnf has nothing to do with SSL operations, it is used during certificate generation. You must read the per-application documentation on how to (de-)activate SSL. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
participants (4)
-
Boris Lorenz -
Lutz Jaenicke -
Togan Muftuoglu -
Yuri Robbers