This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Irritating portscanner...

Hi all,
For the last 3 weeks, I have a very irritating person who's scanning my ports 4 times a day!
I know ASG will drop the packets but I want to block his IP permantly!
In iptables there's an option to drop his connection. Is it possible to disable his IP to access the firewall? If so, how do I do this?

in the meanwhile: Everyone: HAPPY NEW YEAR !!!

This thread was automatically locked due to age.

Parents

0 Hsinan over 15 years ago

Hi all,

I have same problem, but my post is here with different topic:

https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/39504

Is that possible to do it in terminal? For example, I don't want to open Web
Admin and shell access from WAN, so the way I want to do is from my IDS inside LAN, and automatically block it via:

/usr/sbin/iptables -A INPUT -s 222.122.161.197 -j DROP

In such case above, I don't even need to add them manually from WedAdm, or modify it from WAN. Just not quite sure if this is really a good idea.

Thanks,

Hsinan
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Hsinan over 15 years ago

Hi all,

I have same problem, but my post is here with different topic:

https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/39504

Is that possible to do it in terminal? For example, I don't want to open Web
Admin and shell access from WAN, so the way I want to do is from my IDS inside LAN, and automatically block it via:

/usr/sbin/iptables -A INPUT -s 222.122.161.197 -j DROP

In such case above, I don't even need to add them manually from WedAdm, or modify it from WAN. Just not quite sure if this is really a good idea.

Thanks,

Hsinan
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 stuartbe over 15 years ago in reply to Hsinan

Hiya.

My problem is not blocking this wally, Its stopping him from setting of the IDS 20 times a day.

I would just do what I have done for the moment and create a DNAT rule or a PF rule / or both bo block trafic from him.

Its hard to tell if this is actualy someone scanning or an infected machine, It does seem to change its attack patterns and methods. I have had probes on other services as well as port scans. In one attack the guy/machine was trying my SQL and HTTP for PHP flaws.

NB you can use the bulk ip block as I do already. There are plenty of hosts files that in the right format can be imported, Be aware however that the web GUI will slow right down and sometimes hang, I would recomend importing them block by block.

Any one from Astaro got any ideas aside from switching of email notification on my ASG ?
Cancel
Vote Up 0 Vote Down

Cancel
0 stuartbe over 15 years ago in reply to stuartbe

This is now becoming a pain, I have had to turn off email notification on the IDS. I as well as hundreds of other people have reported this guy HERE

There must be a way to stop this blacklist this IP, I have reported this to my ISP and despite working closely with them there is little I can do.

Hoping for an answer real soon.

BTW I have tryed the DNAT to a fake internal IP and PF rules, Both work to block the trafic but dont stop 20-30 IDS email alerts every day.
Cancel
Vote Up 0 Vote Down

Cancel