Results 1 to 9 of 9
Thread: hosts.deny
Hybrid View
-
07-16-2009, 06:54 PM #1Newbie
- Join Date
- Jun 2007
- Posts
- 22
hosts.deny
Completely new stuff for me so i have a few basic questions.
It all started after i've noticed a lot "/w00tw00t.at.ISC.SANS.DFind:" lines in log and after i've found they are random scanning by some hacker tool.
It is suggested to block IP's from where those attacks is comming by putting IP+s in host.deny.
Correct me what i am doing wrong as i keep seeing those scans after I've updated deny file.
I've edited hosts.deny like this:
ALL: 77.68.37.242, 89.19.2.58, 80.93.210.194
That is correct?
After that i've restarted sshd service but i still someone scanning my server from those IP's.
What i am doing wrong?
-
07-16-2009, 07:10 PM #2Junior Guru
- Join Date
- Mar 2009
- Location
- Chicago, IL
- Posts
- 219
They should be on individual lines, not all on one.
However tbh, you simply can't stop these scans by using hosts.deny. It's akin to trying to stop a flood with a bucket. This sort of activity goes on 24x7x365 from hundreds of thousands of IPs and will never stop.
You might look into something like APF/CSF firewalls which are capable of pulling a list of "known bad hosts" and blocking those right off the start in addition to quite a few other security related features.
You'll simply go mad trying to add those all by hand.
-
07-16-2009, 07:18 PM #3Junior Guru
- Join Date
- May 2009
- Location
- On a Speck!!!!!
- Posts
- 216
Apf with bfd is a nice option. Manually adding the IP is not practical if the attack is too high.
-
07-16-2009, 07:21 PM #4Newbie
- Join Date
- Jun 2007
- Posts
- 22
Thank you for quick reply.
Those scans are from only a few IP's. GUess it is not so random scans when they all come from only a few IP's.
Idividual lines..like this?
ALL:77.68.37.242
ALL:89.19.2.58
ALL:80.93.210.194
No spaces between : and IP?
-
07-16-2009, 07:27 PM #5Junior Guru
- Join Date
- May 2009
- Location
- On a Speck!!!!!
- Posts
- 216
Yeah It is correct.
-
07-16-2009, 07:28 PM #6Newbie
- Join Date
- Jun 2007
- Posts
- 22
Thank you for help.
-
07-17-2009, 06:16 AM #7Newbie
- Join Date
- Jun 2007
- Posts
- 22
I have added in host.deny those IP's but i still see attempts coming from those IP's in appache error log.
Just ot ask, this is those line(s) in appache error log:
[client 77.68.37.242] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
That is scans with some hack tool. How dangerous is that if server is basically just installed without any security modifications?
And, putting those IP's in host.deny shoudl prevent access to server completely or it still will show in these logs?
-
07-17-2009, 07:06 AM #8Support Facility
- Join Date
- Jun 2009
- Posts
- 2,335
I'm not sure that if sshd would respond to the hosts.deny files. But you can try installing csf firewall using "csf -d Ip_address" to block Ip address range.
-
07-17-2009, 07:14 AM #9Newbie
- Join Date
- Jun 2007
- Posts
- 22
I will try with csf firewall.
Similar Threads
-
hosts.deny Maximum?
By SI-Chris in forum Hosting Security and TechnologyReplies: 2Last Post: 08-04-2007, 06:04 PM -
hosts.deny
By infernus in forum Dedicated ServerReplies: 1Last Post: 12-29-2004, 04:22 PM -
hosts.deny SMTP
By Mexico Joe in forum Hosting Security and TechnologyReplies: 4Last Post: 12-25-2002, 05:06 PM -
hosts.deny file, need some help
By Andrew Pakula in forum Dedicated ServerReplies: 3Last Post: 08-20-2001, 07:07 PM -
hosts.deny file, need help
By Andrew Pakula in forum Web HostingReplies: 4Last Post: 08-19-2001, 05:06 PM