On Sat, Mar 29, 2003 at 08:25:18AM -0600, Jack L. Stone wrote: > This is semi-OT, but is a FBSD firewall question. > > Every day, I see this in the logs: > 65.194.51.136 - - [29/Mar/2003:00:26:47 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.133 - - [29/Mar/2003:00:26:47 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.131 - - [29/Mar/2003:00:26:49 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.135 - - [29/Mar/2003:00:26:50 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.132 - - [29/Mar/2003:00:26:52 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.134 - - [29/Mar/2003:00:26:55 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.155 - - [29/Mar/2003:00:28:24 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.156 - - [29/Mar/2003:00:29:14 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.137 - - [29/Mar/2003:00:30:45 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.154 - - [29/Mar/2003:00:34:13 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.152 - - [29/Mar/2003:00:34:21 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.151 - - [29/Mar/2003:00:34:50 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.165 - - [29/Mar/2003:00:34:52 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > > Question: > At the "redalert.com" web site, they claim to be a server monitoring > service, but I've never signed up for the service and don't want this daily > waste of BW that appears on all of my web servers. It is annoying and I > would like to block their network via the firewall. > > Based on the above, what would be the best choice of how to block the network: > 65.194.51.?/? > > Thanks for any suggestions....
whois(1) is your friend. Looking up one of those IP numbers returns:
UUNET Technologies, Inc. UUNET65 (NET-65-192-0-0-1)
65.192.0.0 - 65.223.255.255
Keynotes systems UU-65-194-51 (NET-65-194-51-0-1)
65.194.51.0 - 65.194.51.255
# ARIN WHOIS database, last updated 2003-03-28 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
Looking up redalert.com returns:
Registrant:
Internet Resources Group (REDALERT-DOM)
2100 10-th Street Suite 500
Plano, TX 75074
US
Domain Name: REDALERT.COM
Administrative Contact:
nic admin (NA596-ORG) [EMAIL PROTECTED]
Keynote Systems Inc.
777 Mariners Island Boulevard
San Mateo, CA 94404
US
(650) 403-3400
Fax- - (650) 522-1099
Technical Contact:
Dawson, Shaun (ELIKKIWCMI) [EMAIL PROTECTED]
redalert.com
2100 10-th Street Suite 500
Plano, TX 75074
US
9725787406 9724226366
Record expires on 20-Dec-2005.
Record created on 21-Dec-1994.
Database last updated on 29-Mar-2003 10:25:10 EST.
Domain servers in listed order:
NS1.REDALERT.COM 65.194.51.16
NS2.REDALERT.COM 209.102.202.17
and a quick check of the http://www.keynote.com/ web site indicates
that "RedAlert" is a particular service of the Keynote company. So if
you really want to block them, you most effective filter setting would
be:
65.194.51.0/24
However, they do claim to test from three different net blocks so you
may have to ferret out their other net blocks in a similar manner.
Note that the RedAlert service appears to be quite reputable, so I'd
suggest that you try contacting their support desk and asking them to
desist before doing anything else. It's quite possible someone is
paying for their monitoring service but has managed to mistype their
network address and would be quite glad of finding out their mistake.
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp00000.pgp
Description: PGP signature
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
