Results 1 to 9 of 9

Thread: hosts.deny

Hybrid View

  1. #1

    hosts.deny

    Completely new stuff for me so i have a few basic questions.

    It all started after i've noticed a lot "/w00tw00t.at.ISC.SANS.DFind:" lines in log and after i've found they are random scanning by some hacker tool.

    It is suggested to block IP's from where those attacks is comming by putting IP+s in host.deny.

    Correct me what i am doing wrong as i keep seeing those scans after I've updated deny file.

    I've edited hosts.deny like this:

    ALL: 77.68.37.242, 89.19.2.58, 80.93.210.194

    That is correct?

    After that i've restarted sshd service but i still someone scanning my server from those IP's.

    What i am doing wrong?

  2. #2
    Join Date
    Mar 2009
    Location
    Chicago, IL
    Posts
    219
    They should be on individual lines, not all on one.

    However tbh, you simply can't stop these scans by using hosts.deny. It's akin to trying to stop a flood with a bucket. This sort of activity goes on 24x7x365 from hundreds of thousands of IPs and will never stop.

    You might look into something like APF/CSF firewalls which are capable of pulling a list of "known bad hosts" and blocking those right off the start in addition to quite a few other security related features.

    You'll simply go mad trying to add those all by hand.

  3. #3
    Join Date
    May 2009
    Location
    On a Speck!!!!!
    Posts
    216
    Apf with bfd is a nice option. Manually adding the IP is not practical if the attack is too high.

  4. #4
    Thank you for quick reply.

    Those scans are from only a few IP's. GUess it is not so random scans when they all come from only a few IP's.

    Idividual lines..like this?

    ALL:77.68.37.242
    ALL:89.19.2.58
    ALL:80.93.210.194

    No spaces between : and IP?

  5. #5
    Join Date
    May 2009
    Location
    On a Speck!!!!!
    Posts
    216
    Yeah It is correct.

  6. #6
    Thank you for help.

  7. #7
    I have added in host.deny those IP's but i still see attempts coming from those IP's in appache error log.

    Just ot ask, this is those line(s) in appache error log:
    [client 77.68.37.242] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind

    That is scans with some hack tool. How dangerous is that if server is basically just installed without any security modifications?

    And, putting those IP's in host.deny shoudl prevent access to server completely or it still will show in these logs?

  8. #8
    I'm not sure that if sshd would respond to the hosts.deny files. But you can try installing csf firewall using "csf -d Ip_address" to block Ip address range.
    SUPPORT FACILITY | 24/7 TECH SUPPORT
    SERVER MANAGEMENT | WEB HOSTING SUPPORT | WP EXPERTS

  9. #9
    I will try with csf firewall.

Similar Threads

  1. hosts.deny Maximum?
    By SI-Chris in forum Hosting Security and Technology
    Replies: 2
    Last Post: 08-04-2007, 06:04 PM
  2. hosts.deny
    By infernus in forum Dedicated Server
    Replies: 1
    Last Post: 12-29-2004, 04:22 PM
  3. hosts.deny SMTP
    By Mexico Joe in forum Hosting Security and Technology
    Replies: 4
    Last Post: 12-25-2002, 05:06 PM
  4. hosts.deny file, need some help
    By Andrew Pakula in forum Dedicated Server
    Replies: 3
    Last Post: 08-20-2001, 07:07 PM
  5. hosts.deny file, need help
    By Andrew Pakula in forum Web Hosting
    Replies: 4
    Last Post: 08-19-2001, 05:06 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •