Re: Rogue IP addresses

Berend De Schouwer Tue, 02 May 2000 06:31:22 -0700
On  2 May, Bruce wrote:
> Our network is being hit by the following IP addresses in a very systematic
> fashion - ie stepping through our bank of IP addresses and analysing
> each of our ports.

I get it regularly - different IPs though.  The source IP is not
necessarily the originating machine - it must just be able to listen.
 
> Is anyone else receiving this attention and is there
> anything specific we should be doing about it.

I usually go: (depending on severity)
whois <ip>@arin.net
find a contact e-mail address in the record.
mail them with some timestamps and logs.

I don't frequently get a response.  But sometimes I do.  Sometimes the
system administrators are really friendly.  Sometimes I get a
form-letter.

> The following code has been cut from our IPCHAINS firewall - SuSE 6.4/2.2.14+
> 
> All advice will be gratefully received.

Try something like Abacus Portsentry - it'll add ipchains rules when
you get portscanned automatically.  Be careful though - it can be DoS.

> # REJECT/DENY access from rogue servers trying to hit us
>       ${FW} -A inppp0 -s 203.63.239.1/32    -d 0.0.0.0/0      -j DENY -l
>       ${FW} -A inppp0 -s 203.108.26.242/32  -d 0.0.0.0/0      -j DENY -l
>       ${FW} -A inppp0 -s 207.102.98.241/32  -d 0.0.0.0/0      -j DENY -l
>       ${FW} -A inppp0 -s 206.186.135.15/32  -d 0.0.0.0/0      -j DENY -l
>       ${FW} -A inppp0 -s 192.219.249.199/32 -d 0.0.0.0/0      -j DENY -l
>       ${FW} -A inppp0 -s 192.219.249.154/32 -d 0.0.0.0/0      -j DENY -l
>       ${FW} -A inppp0 -s 207.35.181.69/32   -d 0.0.0.0/0      -j DENY -l
>       ${FW} -A inppp0 -s 216.28.117.152/32  -d 0.0.0.0/0      -j DENY -l
>       ${FW} -A inppp0 -s 216.28.230.244/32  -d 0.0.0.0/0      -j DENY -l
> 
>       ${FW} -A inppp0 -s 202.9.142.162/32   -d 0.0.0.0/0      -j DENY -l
>       ${FW} -A inppp0 -s 202.31.233.57/32   -d 0.0.0.0/0      -j DENY -l
> 
>       ${FW} -A inppp0 -s 209.115.44.3/32    -d 0.0.0.0/0      -j DENY -l
>       ${FW} -A inppp0 -s 206.183.224.8/32   -d 0.0.0.0/0      -j DENY -l
>       ${FW} -A inppp0 -s 206.183.224.7/32   -d 0.0.0.0/0      -j DENY -l
>       ${FW} -A inppp0 -s 206.183.226.10/32  -d 0.0.0.0/0      -j DENY -l
> 
> Regards,
> Bruce.
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]

-- 
Kind regards,                             
Berend                                  
                                        
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Berend De Schouwer, +27-11-712-1435, UCS

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
Re: Rogue IP addresses

Reply via email to
