its not so easy , i blocked while ago port 5194 (icq login port) but today i
found users still able to connect.
so i made port scan on login.icq.com and found that they have above 100
ports you can login to incase your admin locks you out :)
so what i did was adding the following rule:
$IPCHAINS -A output -p tcp -s $REMOTENET -d login.icq.com 0:9999 -i
$OUTERIF -j DENY
$IPCHAINS -A output -p tcp -s $REMOTENET -d web.icq.com 0:9999 -i
$OUTERIF -j DENY
and to block aol messanger (another client with security bugs which allows
remote attacker take full control of users systems)
$IPCHAINS -A output -p tcp -s $REMOTENET -d login.oscar.aol.com 0:9999 -i
$OUTERIF -j DENY
Moran.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Alon Oz
Sent: Monday, December 25, 2000 2:56 PM
To: Jonathan Ben-Avraham
Cc: ILUG
Subject: Re: ipchains
Jonathan Ben-Avraham wrote:
>
> On Mon, 25 Dec 2000, Alon Oz wrote:
>
> > Jonathan Ben-Avraham wrote:
> > >
> > > On Mon, 25 Dec 2000, Alon Oz wrote:
> > >
> > > > Jonathan Ben-Avraham wrote:
> > > > >
> > > > > On Mon, 25 Dec 2000, System1 wrote:
> > > > >
> > > > > >
> > > > > > Hi,
> > > > > > we are using here IPChains Firewall.
> > > > > > Is there anyway to block complete domain such as *.icq.com ?
> > > > >
> > > > > No, not with ipchains, because -s accepts only a hostname, network
address
> > > > > or plain IP address
> > > > >
> > > > You dig all the domains under icq.com and add block rules for it in
a
> > > > loop.
> > >
> > > Very nice.
> > > How do I write the loop?
> >
> > 1. I just checked icq.com and you cannot dig the domains under it.
> > 2. You have another option: nslookup icq.com returns 3 ip addresses,
> > scan these blocks for .icq.com pattern and block the ones you find,
> > it's not perfect but it's better than nothing
> > and i assume it will solve your problem.
> > You can write the script with any scriping language
> > (you can search the web for shell scripting tutorial)
>
> Ok, but my experience with these IP's is that they change every year or
> so. So isn't it better to block at the service level and not at the IP
> level?
A bit more logical, but you asked about blocking the domain :).
Block all the icq ports and that's it.
--
Alon Oz,
Aduva Research Team,
Mailto: [EMAIL PROTECTED]
--
A proud member in the Evil Linux cyberterrorist hackers (ELCH)
organization
A who can launch Denial of Service attacks against the embedded devices
in your 6-slice toaster with advanced pingflood Open Source classified
exploit codes hidden inside strongly encrypted Russian mafia pornography
that innocent American children download from online gambling web sites
located in the Northern Mariana Islands
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
