var sidebar_align = 'right';
var content_container_margin = parseInt('350px');
var sidebar_width = parseInt('330px');
Completely new stuff for me so i have a few basic questions.
It all started after i've noticed a lot "/w00tw00t.at.ISC.SANS.DFind:" lines in log and after i've found they are random scanning by some hacker tool.
It is suggested to block IP's from where those attacks is comming by putting IP+s in host.deny.
Correct me what i am doing wrong as i keep seeing those scans after I've updated deny file.
I've edited hosts.deny like this:
ALL: 188.8.131.52, 184.108.40.206, 220.127.116.11
That is correct?
After that i've restarted sshd service but i still someone scanning my server from those IP's.
What i am doing wrong?
They should be on individual lines, not all on one.
However tbh, you simply can't stop these scans by using hosts.deny. It's akin to trying to stop a flood with a bucket. This sort of activity goes on 24x7x365 from hundreds of thousands of IPs and will never stop.
You might look into something like APF/CSF firewalls which are capable of pulling a list of "known bad hosts" and blocking those right off the start in addition to quite a few other security related features.
You'll simply go mad trying to add those all by hand.
Apf with bfd is a nice option. Manually adding the IP is not practical if the attack is too high.
Thank you for quick reply.
Those scans are from only a few IP's. GUess it is not so random scans when they all come from only a few IP's.
Idividual lines..like this?
No spaces between : and IP?
I have added in host.deny those IP's but i still see attempts coming from those IP's in appache error log.
Just ot ask, this is those line(s) in appache error log:
[client 18.104.22.168] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
That is scans with some hack tool. How dangerous is that if server is basically just installed without any security modifications?
And, putting those IP's in host.deny shoudl prevent access to server completely or it still will show in these logs?
I'm not sure that if sshd would respond to the hosts.deny files. But you can try installing csf firewall using "csf -d Ip_address" to block Ip address range.
I will try with csf firewall.
By SI-Chris in forum Hosting Security and Technology
Last Post: 08-04-2007, 06:04 PM
By infernus in forum Dedicated Server
Last Post: 12-29-2004, 04:22 PM
By Mexico Joe in forum Hosting Security and Technology
Last Post: 12-25-2002, 05:06 PM
By Andrew Pakula in forum Dedicated Server
Last Post: 08-20-2001, 07:07 PM
By Andrew Pakula in forum Web Hosting
Last Post: 08-19-2001, 05:06 PM
Tags for this Thread