On Sat, Mar 29, 2003 at 08:25:18AM -0600, Jack L. Stone wrote: > This is semi-OT, but is a FBSD firewall question. > > Every day, I see this in the logs: > 65.194.51.136 - - [29/Mar/2003:00:26:47 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.133 - - [29/Mar/2003:00:26:47 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.131 - - [29/Mar/2003:00:26:49 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.135 - - [29/Mar/2003:00:26:50 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.132 - - [29/Mar/2003:00:26:52 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.134 - - [29/Mar/2003:00:26:55 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.155 - - [29/Mar/2003:00:28:24 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.156 - - [29/Mar/2003:00:29:14 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.137 - - [29/Mar/2003:00:30:45 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.154 - - [29/Mar/2003:00:34:13 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.152 - - [29/Mar/2003:00:34:21 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.151 - - [29/Mar/2003:00:34:50 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.165 - - [29/Mar/2003:00:34:52 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > > Question: > At the "redalert.com" web site, they claim to be a server monitoring > service, but I've never signed up for the service and don't want this daily > waste of BW that appears on all of my web servers. It is annoying and I > would like to block their network via the firewall. > > Based on the above, what would be the best choice of how to block the network: > 65.194.51.?/? > > Thanks for any suggestions....
whois(1) is your friend. Looking up one of those IP numbers returns: UUNET Technologies, Inc. UUNET65 (NET-65-192-0-0-1) 65.192.0.0 - 65.223.255.255 Keynotes systems UU-65-194-51 (NET-65-194-51-0-1) 65.194.51.0 - 65.194.51.255 # ARIN WHOIS database, last updated 2003-03-28 20:00 # Enter ? for additional hints on searching ARIN's WHOIS database. Looking up redalert.com returns: Registrant: Internet Resources Group (REDALERT-DOM) 2100 10-th Street Suite 500 Plano, TX 75074 US Domain Name: REDALERT.COM Administrative Contact: nic admin (NA596-ORG) [EMAIL PROTECTED] Keynote Systems Inc. 777 Mariners Island Boulevard San Mateo, CA 94404 US (650) 403-3400 Fax- - (650) 522-1099 Technical Contact: Dawson, Shaun (ELIKKIWCMI) [EMAIL PROTECTED] redalert.com 2100 10-th Street Suite 500 Plano, TX 75074 US 9725787406 9724226366 Record expires on 20-Dec-2005. Record created on 21-Dec-1994. Database last updated on 29-Mar-2003 10:25:10 EST. Domain servers in listed order: NS1.REDALERT.COM 65.194.51.16 NS2.REDALERT.COM 209.102.202.17 and a quick check of the http://www.keynote.com/ web site indicates that "RedAlert" is a particular service of the Keynote company. So if you really want to block them, you most effective filter setting would be: 65.194.51.0/24 However, they do claim to test from three different net blocks so you may have to ferret out their other net blocks in a similar manner. Note that the RedAlert service appears to be quite reputable, so I'd suggest that you try contacting their support desk and asking them to desist before doing anything else. It's quite possible someone is paying for their monitoring service but has managed to mistype their network address and would be quite glad of finding out their mistake. -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp00000.pgp
Description: PGP signature
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"