James Marcinek wrote:
I recently had the same issue. I could you give an example of a reject rule.
This is the IP address that was used: 210.99.38.200 They tried to use the same
non-existent account. Is there some exploit out there or are they just trying to
get into a system that is not secured well? They have their FTP daemon running:
ISA Server: extended error message : 220 WOWLiNUX Paran R2 Server ready. 530
Sorry, maxium users 10 -- try again later James
Did you also contact the people who own that IP (a public school in
Korea...surprise, surprise!) and tell them that what they're doing is
bloody illegal? You should, even though they'll most likely ignore you.
To block incoming connection attempts from that address in iptables:
iptables -A INPUT -p tcp -s 210.99.38.200 --syn -j DROP
And if you want to also block UDP:
iptables -A INPUT -p udp -s 210.99.38.200 -j DROP
You might want to block the whole /26 CIDR allocation:
iptables -A INPUT -p tcp -s 210.99.38.192/26 --syn -j DROP
iptables -A INPUT -p udp -s 210.99.38.192/26 -j DROP
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens@xxxxxxxxxxxxxxx -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- Better to understand a little than to misunderstand a lot. -
----------------------------------------------------------------------
