Hi Bernd!
I don't think it's a configuration error - I'm using very similar chains on both of my
boxes, and the production webserver is the only one experiencing this. It started
about one in the morning, several hours after I blocked 5 ip addresses that were the
probable cause of many of the probes hitting my webserver for over a week.
They introduced a lot of phony source IPs [chafe] in the probes, but about 5 of the
same source IP's hit the DENY chains on 2 systems a couple of times each day for about
a week. I notified the postmaster & abuse email addresses of their ISPs, and within
hours of blocking those IP addresses I started receiving the unwanted "attention." One
of the comments I made to the postmaster was, "This script kiddy can't be too bright,
so I'll assume it's a teenager. Please tell him or her to stop littering my log
files..."
I think the culprit got the email, and was a little offended by being addressed as a
script kiddy. I must have hit a nerve.;)
It may be an attempt at revenge. And all of this happened just days after both of my
systems denied packets coming into my router from the Internet with an address of
"10.0.211.58" which even I know enough to block & log, and I'm not a security
professional. So, I know that either my ISP isn't too particular about blocking
obviously forged packets from entering their network, or someone on their network is
doing it, and they're just not interested. I haven't received any reply to several
emails I set beginning on Wednesday.
Do you security professionals have a statistical program of some sort to cull through
the log files to tag the most probable real source IP addresses? I had to process mine
through a perl script, and import them into a PostgreSQL database to play with them
using SQL commands I typed at the keyboard, which was very time consuming &
inefficient - I can't type worth spit.
Additionally, is there a black-hole list for cracker IPs anywhere, similar to the
email black-hole list, or a list of ISPs that are the most indifferent to security on
their networks?
Thanks Again!
Bernd Eckenfels wrote:
>
> On Sat, Mar 03, 2001 at 07:53:05PM -0500, Buddy Lee Haystack wrote:
> > Someone's is spoofing the address of my ISP's [Verio] DNS servers &
> > sending roughly 2,500 denied packets in 24 hours. At least I hope that
> > they haven't rooted Verio's DNS servers.
>
> this sounds much more like a configuration error. What kind of packages
> (from where to where) gets denied. Are you sure you do not simply deny legit
> DNS Response packates?
>
> Greetings
> Bernd
> --
> (OO) -- [EMAIL PROTECTED] --
> ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
> o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
> (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
--
***NOTE***
This entire message is confidential, and protected by copyright. If you are not the
intended recipient, you are hereby notified that any review, dissemination or
archiving of this message is strictly prohibited.
**********
www.RentZone.org
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
