On 4/19/06, steve szmidt <steve@szmidt.org> wrote:
> On Wednesday 19 April 2006 01:41, Eben King wrote:
> > I have a small, personal web site, served using thttpd (I said it was
> > small). I run it on port 81, to avoid the IIS attack du jour.
> >
> > There is one machine that's made about 300 hits since 13/Apr/2006:11:47:57,
> > often hitting the same page dozens of times in a row, with 8-60 seconds
> > between hits. His hits stop coming in the evening and resume in the early
> > afternoon. What's the deal here? How can I cut him off, using e.g.
> > hosts.deny or similar (I already have ALL : ALL in there)?
>
> You are using the builtin firewall are you not?
>
> If it's always on the same IP you can add an entry like DROP. Though I'd be
> curious about what he's doing. Have you tried recording the traffic and
> inspect what he's doing?
>
> BTW, one thing to keep in mind when you add the entry is that firewalls either
> act on the first matching record or the last. If you are using iptables then
> it's the first matching rule that wins. So you might want to use something
> like this where you first have his drop then the accept rule for all others.
>
> -A RH-Firewall-1-INPUT -s <enter.block.ip.here> -j DROP
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
>
> Of course if any line wraps here make sure it's on one line
> in /etc/sysconfig/iptables. The above drops all traffic from that address, it
> will look like you went away. If you prefer to play nice you would replace
> the DROP with a REJECT. (Again this is iptables syntax.)
>
> Playing nice is important for those who have various legit or should I say
> important traffic, moving through. Then you want to pay more attention on
> your equipment working standardly with others. For a home setup where you
> don't really care and are more concerned about security you can use DROP and
> disappear.
A year or so ago I had a similar issue with a amateur radio packet network
switch, there were people who were trying to get into the thing. I captured logs
and tried to figure things out, and at one point I called the FBI about it, they
were VERY interested in the logs and what was going on, I supplied them
all of the data they asked for, and then after several weeks had gone by
I was called and they told me that they were still investigating but they went
through a list of things to do to make it more difficult for the people who were
trying to get it, and the one thing that really took care of it was to
change the
port from port 22 (SSH ) to another port, that killed the attempts
totally. I have
not had a problem since, I have not heard a thing from them and suspect
that I will not but I have tried some things on port 22 since then and no longer
see a great majority of the stuff I was seeing, either they gave up or the boys
in the suites got to them. Several of them were traced to universities and other
similar places.
-- Chuck Hast -- KP4DJT -- To paraphrase my flight instructor; "the only dumb question is the one you DID NOT ask resulting in my going out and having to identify your bits and pieces in the midst of torn and twisted metal."----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:36:32 EDT