OK, I've got to do this: OK, what's with the "ok"s, OK? :-)
Anyway, you're right, but portsentry will only trap the one offending host
address at the time of detection.
If you want to place a rule in your ipchains to cover the entire network on
which the host is located, you can add a similar line with the
network/netmask combination. As an example, to block all of AT&T CERFnet in
Redwood California, you would add the following to the firewall.rc script,
or pmfirewall.rules.local, or what ever script starts your firewalling... or
you can add the line temporarily at the command line:
Use whois to get the information about the network IP range.
/sbin/ipchains -I input -s 216.148.218.0/20 -j DENY -l
--Greg
----- Original Message -----
From: "stephen" <[EMAIL PROTECTED]>
> that command is blocking the one ip address ok greg stewart
> if you need to block the complete 128.143 there is a different way ok
> stephen
> ----- Original Message -----
> From: "Greg Stewart" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, October 19, 2000 9:49 AM
> Subject: Re: [newbie] Security Question
>
>
> > Replace the portsentry.conf KILL_ROUTE command line with the following
and
> > restart portsentry:
> >
> > KILL_ROUTE="/sbin/ipchains -I input -s 128.143.40.230 -j DENY -l"
> >
> > This will insert the offending host at the top of your ipchains rules
and
> > you won't have to worry about receiving another entry from them again
> (until
> > you reboot, or flush ipchains).
> >
> > Is your Win98 box behind the linux machine on the internet? Or does it
> have
> > a direct connect through a non-firewalling router?
> >
> > --Greg
> >
> >
> > ----- Original Message -----
> > From: "Daniel J. Ferris" <[EMAIL PROTECTED]>
> >
> >
> > > Portsentry reported this:
> > >
> > > Active System Attack Alerts
> > > =-=-=-=-=-=-=-=-=-=-=-=-=-=
> > > Oct 17 20:36:51 hornet portsentry[642]: attackalert: UDP scan
> > > from
> > > host: 1Cust222.tnt5.phoenix2.az.da.uu.net/63.16.193.222 to UDP
> > > port:
> > > 161
> > > Oct 17 20:36:51 hornet portsentry[642]: attackalert: Host
> > > 63.16.193.222 has been blocked via wrappers with string: "ALL:
> > > 63.16.193.222"
> > > Oct 17 20:36:51 hornet portsentry[642]: attackalert: Host
> > > 63.16.193.222 has been blocked via dropped route using command:
> > > "/sbin/route add -host 63.16.193.222 reject"
> > >
> > > Zone alarm also reported this person did a syn scan on my win 98
> > > box. Is there anything else that I should check?
> > >
> > > I have some ipchains rules set up, that will deny most anything
> > > incoming. But I want to be on the safe side. :-)
> > >
> > > Dan
> > >
> >
> >
> >
>
____________________________________________________________________________
> __
> > Vous avez un site perso ?
> > 2 millions de francs � gagner sur i(france) !
> > Webmasters : ZE CONCOURS !
http://www.ifrance.com/_reloc/concours.emailif
> >
> >
> >
> >
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.198 / Virus Database: 95 - Release Date: 10/4/00
>
>
______________________________________________________________________________
Vous avez un site perso ?
2 millions de francs � gagner sur i(france) !
Webmasters : ZE CONCOURS ! http://www.ifrance.com/_reloc/concours.emailif
