Re: Question about blocking IP's

On 30 Dec 2005, in the Usenet newsgroup comp.os.linux.networking, in article
<1135981420.368650.18990@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, yas_chan wrote:

>Host 172.88.88.88 has been blocked via wrappers with string: "All:
>172.88.88.88"

I have to assume that's a munged address, because there are only three
blocks in 172.0.0.0 to 172.255.255.255:

172.16.0.0 - 172.31.255.255 RFC1918 private address space
172.128.0.0 - 172.191.255.255 AOL
172.192.0.0 - 172.216.255.255 AOL

That's it! There are NO other valid addresses in that area.

>Do you think so?

No. There is one and only one line that goes in /etc/hosts.deny:

ALL: ALL

Read the man page for hosts_access - the syntax is 'man 5 hosts_access'.
/etc/hosts.allow is consulted BY THOSE APPLICATIONS THAT USE tcp_wrappers
(not all do) and by those compiled to use libwrap (not all are). If access
is permitted here, access is granted, and that's that. If access is NOT
granted, the /etc/hosts.deny file is checked. If access id denied, then
the host is blocked. IF ACCESS IS NOT DENIED, THEN ACCESS IS GRANTED BY
DEFAULT. Note that /etc/hosts.deny is NOT checked if access is allowed
by /etc/hosts.allow. Do your blocking by not ALLOWING the entire world
access in /etc/hosts.allow OR block addresses in your firewall.

>Also in my var/log/messages there are lines like:
>
>Attackalert: TCP/SYN/Normal scan from host: xx.xx.xx.xx to TCP port: 143

Whoopie!!! Sounds exactly like a freakin windoze "personal firewall".
Port 143 is IMAP - are you running an IMAP server? If not, the port is
closed by default, and the zombies can probe all day and not get in.
Try using the command 'netstat -tupan' and see what you've got flapping
in the breeze waiting to be exploited.

>Attackalert: host: xx.xx.xx.xx has been blocked via dropped route using
>command:
>"/usr/local/bin/iptables -I INPUT -s xx.xx.xx -j DROP"

I'd be VERY careful about automatically adding host addresses to a firewall
script, lest someone use 'nmap -D ip.addr.of.ur.dns' and let you shoot your
own foot automatically. Read the man page for nmap if you don't understand
what that command does.

>Also the hosts.deny file seems growing larger in time. Does portsentry
>add the IP addresses to hosts.deny file? Please explain a little the
>basics.

See the man page for PortSentry - yes, you are setting yourself up for a
problem. See the Security-Quickstart-HOWTO for some smarter clues.

Old guy
.

Relevant Pages

  • VNC: vncviewer no route to host on same lan
    ... lan and the internet (the firewall is NOT between the two machines). ... when I run the command ... main: unable to connect to host: No route to host ...
    (Fedora)
  • ssh_config question
    ... I'm trying to setup my .ssh/config to log in to a host behind a firewall. ... The command line version: ... ssh -t example.com ssh 192.168.1.1 ...
    (comp.security.ssh)
  • Re: Pornography on computer
    ... > I want this off my computer and I contacted AOL ... Beyond that - you need to clean up your PC and secure it. ... the built in Windows XP firewall because you use XP, ...
    (microsoft.public.windowsxp.hardware)
  • Re: Dialup Security: Is this a known problem?
    ... Even PC Magazine rated NIS and ZA at the top, ... > might be better served by using discreet tools: A firewall (use ... Sad that one must do so to keep the windows OS safe. ... Thst's common with AOL. ...
    (comp.security.firewalls)
  • Re: Dialup Security: Is this a known problem?
    ... NIS has steadily gone downhill. ... The firewall is rather weak. ... but we often use the term discreet to ... Thst's common with AOL. ...
    (comp.security.firewalls)