Re: how to block everything from an entire /24

To: sibuyas@i-mailbox.net
Cc: debian-isp@lists.debian.org
Subject: Re: how to block everything from an entire /24
From: Peter Billson <pete@elbnet.com>
Date: Mon, 16 Apr 2001 08:37:59 -0400
Message-id: <3ADAE7A7.35DAF15@elbnet.com>
References: <3adb367f.3407.0@i-mailbox.net>

Your firewall (ipchains) is denying packets. This line shows packets
coming in to the machine over eth0 from 203.167.117.88 on port 1053 (an
unprivileged port) destined for 209.61.158.13, port 80 (WWW). This would
be a normal http connection if you are running a web server on
209.61.158.13 and eth0 is the interface that connects to the Net but you
wouldn't want your firewall blocking it. If you are not running a Web
sever, this entry is a good thing.

> Apr  8 22:38:53 ickis kernel: Packet log: input DENY eth0 PROTO=6 203.167.117.88:1053
> 209.61.158.13:80 L=59 S=0x00 I=38406 F=0x4000 T=106 (#1)


These lines shows packets coming in to the machine over eth0 from
203.167.117.88 on ports 1076 and 1077(unprivledged) destined for
209.61.158.13, ports 31 and 33 which are unassigned. There is no valid
reason that someone should be trying to connect to these ports!
> Apr  8 22:38:54 ickis kernel: Packet log: input DENY eth0 PROTO=6 203.167.117.88:1076
> 209.61.158.13:31 L=48 S=0x00 I=38662 F=0x4000 T=106 SYN (#1)
> Apr  8 22:38:54 ickis kernel: Packet log: input DENY eth0 PROTO=6 203.167.117.88:1077
> 209.61.158.13:33 L=48 S=0x00 I=38918 F=0x4000 T=106 SYN (#1)

  Since you show packets coming from the same IP to numerous ports
(including ports that *no one* should be trying to connect to) I'd guess
that your machine is being probed for security holes.
  The above lines (by themselves) will not drive your load average up
(unless there are thousands of them). If I had to guess I'd say that
someone found a security hole on your system, or at least attempted to
exploit one.
  You need to *quickly* get a good book on using ipchains and set up a
firewall. If you don't understand firewalling (which is what it sounds
like but that's OK we've all been there) doing it without guidance can
be basically useless.

> and also, how do i block out everything coming from 203.167.117.0/24?
  ipchains -A input -i eth0 -s 203.167.117.0/24 -j DENY -l
  ipchains -A output -i eth0 -d 203.167.117.0/24 -j DENY -l

To understand what is going on with a high load average try running top
for a snapshot of what is going on.

Pete
-- 
http://www.elbnet.com
ELB Internet Services, Inc.
Web Design, Computer Consulting, Internet Hosting

Reply to:

References:
- how to block everything from an entire /24
  - From: "Sibuyas" <sibuyas@i-mailbox.net>

Prev by Date: Re: transparent proxy
Next by Date: Re: transparent proxy
Previous by thread: how to block everything from an entire /24
Next by thread: Re: how to block everything from an entire /24
Index(es):
- Date
- Thread