[BlueOnyx:04451] Re: {6.3 Re: Re: can't stop this attack

[Chuck Tetlow]

> > ------- End of Original Message ------- 
> I have this rule in iptables, but had no affect 
> DROP       all  --  213.80.73.45        213.80.73.45 
> I also has him in hosts.deny 
> 
> I finally used the route to stop him 
> /sbin/route add -host 213.80.73.45 reject 
> suggested by both Ken Marcus and Larry Smith. 
> That did stop him 
------- End of Original Message -------

The reason your Iptables firewall rule didn't work - I think you had it in wrong.

>From your output above - it appears you had it in dropping all packets FROM 213.80.73.45 that were going TO 213.80.73.45.  Since traffic doesn't go through your box to get TO that address - it didn't match anything and had no effect.  You must have the rule set to drop packets FROM 213.80.73.45 and TO anything.  That way, nothing from that address will get into your box - no matter what IP its addressed to.

And as I mentioned, too many times I've blocked a single IP - to have hacking attempts start again from a neighboring IP.  Its not unusual for multiple machines to be exploited in a company, or to have someone with access to multiple machines mis-use them.  So I always block the entire /24 network by default.

The rule I suggested should have worked:

/sbin/iptables-I acctin 1 -s 213.80.73.0/24 -j DROP

That would insert a rule at the top of the inbound packet table (acctin) that drops all packets sourced from the network 213.80.74.0/24 (213.80.73.0->213.80.73.255).

Chuck

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100511/1c7cd6b2/attachment.html>