Range Banning With IPSec On Windows Server
Oct 9, 2006Does anyone know how to range ban IPs using IPsec.
I can enter IPs manually but unable to ban an entire RANGE of ips
i.e. For example 172.10.10.10 - 172.1.1.999
Anyone know?
Does anyone know how to range ban IPs using IPsec.
I can enter IPs manually but unable to ban an entire RANGE of ips
i.e. For example 172.10.10.10 - 172.1.1.999
Anyone know?
I need to ban IP range and I inserted say ip 12.44.0.0 in the deny_hosts rules, this should ban range from 12.44 but strange is people from that range still be able to access my site, any idea what went wrong?
View 3 Replies View RelatedI want to stop users from country X from accessing my website, I know I can ban people's IPs but I dont know if it is possible to ban certain geographical area and if so, I haven't got a clue about how to do it.
View 8 Replies View Relatedsecure a windows server 2003 traffic.
I have one server with a small number of clients <10. The clients have dynamic IPs.
The server hosts a number of public facing websites, email, FTP and remote desktop.
What I want to do is make port 80 respond to all web requests but lock all other services down so that they only respond to my 10 clients. I was thinking some certificate or VPN solution but I've ruled VPN out as I don't have a firewall or VPN so would I be able to do this with IPSEC?
Is there quick utility that would do this or can you point me to a good example article?
Getting these emails, several a day telling me that the server is banning its own allocated IP addresses. Can someone explain what on earth it could possibly be doing to ban its own IP's?
From - Thu Dec 20 16:50:47 2007
X-Account-Key: account3
X-UIDL: GmailId116f88c2a1c060ca
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Delivered-To: myemail@gmail.com
Received: by 10.90.78.14 with SMTP id a14cs288558agb;
Thu, 20 Dec 2007 09:14:04 -0800 (PST)
Received: by 10.142.177.7 with SMTP id z7mr183490wfe.47.1198170843836;
Thu, 20 Dec 2007 09:14:03 -0800 (PST)
Return-Path: <root@host.domain.com.br>
Received: from server.domain.com.br (domain.com.br [xxx.xxx64.138])
by mx.google.com with ESMTP id m8si38592roe.1.2007.12.20.09.14.03;
Thu, 20 Dec 2007 09:14:03 -0800 (PST)
Received-SPF: pass (google.com: domain of root@server.domain.com.br designates xxx.xxx.64.138 as permitted sender) client-ip=xxx.xxx.64.138;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of root@server.domain.com.br designates xxx.xxx.64.138 as permitted sender) smtp.mail=root@server.domain.com.br
Received: from root by server.domain.com.br with local (Exim 4.68)
(envelope-from <root@server.domain.com.br>)
id 1J5OyA-0004us-63
for root@server.domain.com.br; Thu, 20 Dec 2007 15:13:39 -0200
To: root@server.domain.com.br
Subject: IP addresses banned on Thu Dec 20 15:13:39 BRST 2007
Message-Id: <E1J5OyA-0004us-63@server.domain.com.br>
From: root <root@server.domain.com.br>
Date: Thu, 20 Dec 2007 15:13:39 -0200
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.domain.com.br
X-AntiAbuse: Original Domain - server.domain.com.br
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - server.domain.com.br
Banned the following ip addresses on Thu Dec 20 15:13:38 BRST 2007
xxx.xxx64.138 with 151 connections
I have centos 4 / cpanel installed with apf / bfd yet the deny host rules for apf does not show the server IP's listed as banned.
I have a client who needs to block IP range on a windows server. However, he is using Cloud hosting from Rackspace. I guess they are not being corporative in doing so. Anyway to do this without root? Perhaps from the control panel?
When I click to Backup Manager it gives an error "Error: 'ascii' codec can't decode byte 0xc4 in position 7: ordinal not in range(128)" , now i can't reach backup properties
View 1 Replies View RelatedI must add tons of subnets (in the xxx.xxx.xxx.xxx/xx format) to the IPsec policies. I am on Windows 2003 servers.
It will take forever to add them one by one...
It's almost 500 subnets.
Is there an automation script or...?
to configure a VPN connection between two Cisco Routers.
I have the configuration in one side but for another side I have nothing.Is any one can help me about it??Another question is :are two routers need to have a valid IP or not?
Is there some way to trigger a script or send an email if someone from a specified IP or IP range (e.g. 125.125.125.%) accesses an account, or any URL on the server? Perhaps by placing something within .htaccess or httpd.conf or something of that nature.
For instance, an email "$IP is visiting the URI $REQUEST_URI" would be sent, or a PHP script that sends the email would be triggered (though in that case, I'd need some way to tell the script the IP and URI).
And in a related matter, is there any way (perhaps some existing software) to filter the access logs of an account to find all requests by a certain IP address?
Do you still have to add each port individually to Server 2008's Firewall like we did on Server 2003?
If so, will the guides that were put out for 2003 work on 2008's? I want to be sure before putting all these ports in....if I can just specify a range instead, it would be much easier!
Is it possible to use IP Security policies in Windows Server 2003 to help prevent types of DoS attacks? Today my server was attacked by a single attacker who merely connected and disconnected on open ports at an incredibly fast rate. This was enough to eat the cycles of the server processes effectively creating a DoS attack. I was hoping IPSec could help prevent this, but I'm open to use any other software as well.
View 4 Replies View RelatedI'm trying to establish a VPN server inside a Fedora 10 VPS under OpenVZ. Openswan or Poptop is preferred over OpenVPN because Windows has built-in support for these protocols.
It looks like the host node (it's actually the vps from myprohost.com) doesn't have the required kernel modules enabled(installed?). Take Poptop for example, if I run pppd after rpm installation, the output is like this:
[root@v ~]# /usr/sbin/pppd
/usr/sbin/pppd: This system lacks kernel support for PPP. This could be because
the PPP kernel module could not be loaded, or because PPP was not
included in the kernel configuration. If PPP was included as a
module, try `/sbin/modprobe -v ppp'. If that fails, check that
ppp.o exists in /lib/modules/`uname -r`/net.
See README.linux file in the ppp distribution for more details.
[root@v ~]# modprobe -v ppp
FATAL: Could not load /lib/modules/2.6.18-92.1.18.el5.028stab060.2/modules.dep: No such file or directory
And when I check for the availability of the encryption module "MPPE", I got the same result:
[root@v ~]# modprobe mppe
FATAL: Could not load /lib/modules/2.6.18-92.1.18.el5.028stab060.2/modules.dep: No such file or directory
Openswan complains about some missing kernel modules too. So what do I do? Do I tell the provider to enable these modules? Do they normally do that? Will the host node require a reboot after having done that?
What modules are required for Poptop and Openswan? And, do I need to tell them to re-enable these modules every time I rebuild my OS?
About a week ago I got logs from the server that looked like this:
unknown (200.87.116.210): 5112 Time(s)
unknown (65.111.177.212): 5005 Time(s)
unknown (bastion.fmg-kopernik.ru): 662 Time(s)
root (bastion.fmg-kopernik.ru): 657 Time(s)
I then turned on the brute force protection cPanel provides, and it went down considerably from there. I'm not concerned at all about it (since the passwords are strong), but I would like to know the best way to determine abusive users (of SSH), and the best way to ban them.
Assuming the server does not have APF installed, or any particular control panel...
How can i ban Yahoo! Slurp and its IPs using .htacces?
View 3 Replies View Relatedý'd want to ban some ip addresses and i tried use iptables. But it doesnt work so far.
what i did is:
root/sbin/ iptables -A INPUT -p tcp -s 193.93.236.0/22 -d any/0 -m state --state NEW -j DROP
as seen, i tried to ban an ip range from my box (coz of spam). But it looks that doesnt work.
What i want to do is to prevent wp spammers to post their disgraceful links to my database.
i am using centos.
my VPS provided didn't enable a lot of modules and that's why I can use a firewall(csf or apf) and dos deflate script
I need a simple script for it.
First,it has to call this:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
then there will be something like:
Number : IP address
20 1.2.3.4
40 1.2.3.5
80 1.2.3.6
and then the bash script has to bann IPs with more than 30 connections(In our case: 1.2.3.5 and 1.2.3.6) with this:
iptables -A INPUT -s IP_FOR_BLOCK -j DROP
I installed mod_security and the 403security rules on my VPS (Centos 4.1, Release version of WHM).
Several vBulletin files, including the ajax quick editor and some vbulletin.org add-ons are triggering this rule and banning members' IPs in CSF:
# Restrict witch content encodings we accept.
#
# TODO Most applications support only two encodings for request bodies
# because that is all browsers know how to produce. If you are using
# automated tools to talk to the application you may be using other
# content types and would want to change the list of supported encodings.
#
# Note though that ModSecurity parses only three content encodings:
# application/x-www-form-urlencoded, multipart/form-data request and
# text/xml. The protection provided for any other type of encoding is
# inferior.
#
# TODO There are many applications that are not using multipart/form-data
# encoding (typically only used for file uploads). This content type
# can be disabled if not used.
#
# NOTE We allow any content type to be specified with GET or HEAD
# because some tools incorrectly supply content type information
# even when the body is not present. There is a rule further in
# the file to prevent GET and HEAD requests to have bodies to we're
# safe in that respect.
#
# NOTE Use of WebDAV requires "text/xml" content type.
#
# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
# applications running on the PocketPC and AvantGo platforms use
# non-standard content types:
#
# M-Business iAnywhere application/x-mal-client-data
# UltraLite iAnywhere application/octet-stream
#
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$"
"chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content encoding is not allowed by policy',id:'960010',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)"
I don't know how to decipher this rule to know if just removing it is ok, or if it is serving an important purpose. During a couple hour period it was enabled, that rule only seemed to trigger false alarms.
The above was triggered with calls such as [uri "/forums/ajax.php?do=usersearch"] and [uri "/forums/newreply.php?do=postreply&t=11057"]
What I really don't understand is that I have an .htaccess in place to turn off mod_security for the /forums directory:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
I have also had this rule triggered today when someone tried to access : ...
I've been happily banning ip's using the output from
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
for over a year now, with iptables. However recently, after upgrading to apache 2.2, the connections in netstat get listed as ipv6. A row can look like this for example:
tcp6 0 0 ::ffff:12.123.123.123:80 ::ffff:12.123.12.:12382 ESTABLISHED-
(actual ip addresses changed)
As you can see, the remote ip address isn't complete, it's cut off, so the script used to sum up connections and insert into iptables isnt doing anything.
Let's say when i first joined the datacenter, i'm given some 16 IPs from 123.123.123.*.
Now that i need more IPs, and they have to give me IPs from 123.123.124.*, am i right to say i need a new switch?
Now is it possible that i link up the new switch together, so that both switch can pick up any available IPs from either range?
I'm running a web server with mod_evasive and want to know how can I prevent mod_evasive from blocking the googlebot crawler ip address.
Is there a script out there that can detect this crawler and make sure its ip doesnt get blocked by iptables or mod_evasive?
am using APF firewall and am getting ddos from these range ips
4.68.25.*
8.0.4.*
8.0.5.*
how could i delete all the range from these ip's?
I set up a forum for a small group of users, so I don't really wish to see spiders or bots on it, so I've put a robots.txt file there to prevent all of them from accessing the forum pages.
I know not all bots follow the robots.txt rule, and these days a really annoying bot called MUNAXNET or Munax AB with IP range 82.99.30.0 - 82.99.30.127 is causing the forum to have extra and unexpected loads.
I've tried to block this IP range with .htaccess and uploaded it to the root of the site a few days ago, here is the content:
<Limit GET HEAD POST>
order allow,deny
deny from 82.99.30.0-82.99.30.127
allow from all
</LIMIT>
However strangely it seems that all of these are not working for this bot, today I saw my forum had 80 users online and that army still keeps coming and browsing all pages of my forums...
I tested the .htaccess with blocking myself, and it actually worked for me, dunno why it's not working for that bot..
we want a dedicated server with a full range of ip with our own company name(or with my name) and abuse mail
+ kvm and apc access
we need a good support too , for example if we want to check our hard disk the provider check it fast
Server: OS RHEL 4
Web Server: Apache1.3.37
Hi. I want to block a range of IPs. Currently, I use the following command as an effective weapon against the IPs of people I find in the log trying to do bad things.
/sbin/route add -host x.x.x.x reject
Works like a charm. I then put the offending IP in the file /etc/rc.d/rc.local so that it will reload the bad ips when the server reboots next.
I also use the CSF/LFD firewall, and it successfully blocks single, offensive IPs also.
What I need, though, is the ability to block an entire range of IPs. For example, i have a very persistent hacker trying to access from a certain range like so....
255.155.x.x.
The last two numbers are always changing but the first two remain the same.
How do I block this "range" of IPs from accessing my server?
Note, I know how to block a range of IPs in a .htaccess file for a certain account, I put this in the .htaccess file...
deny from 205.196.
But when I try this with /sbin/route, it will not accept the ip. My firewall will also not accept a range of IPs.
Is there any way to block all and just allow certain IP using APF or iptables?
I want to block all the traffic to the server and just alow IP range.
I am getting my quote back Tuesday but need a little bargaining power with these guys...
Oakland, Ca datacenter
40mbps, 20A, 42U rack.
What should I be looking at price range here, how much per mbps?
Only info I've seen is from 2003 where people were saying $200/mbps. Obviously prices have come WAY down. I've seen people on here reselling internap bandwidth for $12/mbps, but they might have bought a huge commit.
i have 2 range ip
range 1 is : 111.111.111-119
range2 is : 222.222.222-229
how may i add both range?
i can add for one range,but about 2 rage i can`t
from 36 hours we have really critical issue:
we have 3 server with Liquidweb that have problem to "resolve" a server locate in Italy
Email sent from server with LW to Italy server is not sent and stay in queue.
We try to force delivery and error is:
Message 1Je39R-0000wk-3N is not frozen LOG: MAIN
cwd=/usr/local/cpanel/whostmgr/docroot 4 args: /usr/sbin/exim -v -M
1Je39R-0000wk-3N delivering 1Je39R-0000wk-3N Connecting to italyserver.com
[**.**.**.**]:25 ... failed: Connection timed out (timeout=5m) LOG: MAIN
italyserver.com [**.**.**.**]:25 Connection timed out LOG: MAIN
== email@italyserver.com R=lookuphost T=remote_smtp defer (110): Connection
== timed out
--
We have check, there aren't problem with port and firewall
All seesm ok, for all server
We have try to restart exim, reboot, ..
Emails don't start from 3 server LW to 1 in Italy
We have try to ping from server LW the Italian server and the problem is the same, found IP but 100% packet lost..
If we ping from 3 server LW a IP of server that is "over" the server IT is all ok
The problem seems only with single IP
So, we have try to send from server in Italy to 1 of 3 server under LW.. same problem
------
Message 1JeSBO-0003CD-HO is not frozen LOG: MAIN
cwd=/usr/local/cpanel/whostmgr/docroot 4 args: /usr/sbin/exim -v -M
1JeSBO-0003CD-HO delivering 1JeSBO-0003CD-HO Connecting to
mail.serverlw.it [**.**.***.**]:25 ... failed: Connection timed out
(timeout=5m) LOG: MAIN mail.serverlw.it [**.**.***.**] Connection
timed out LOG: MAIN
== email@serverlw.it R=lookuphost T=remote_smtp defer (110):
== Connection timed out
------
LW support not have suggest solutions and also Italian support not have idea of problem solution
we want a dedicated server with a full range of ip with our own company name(or my name) and our own abuse e-mail address
+ kvm and apc access
we need a good support too , for example if we want to check our hard disk the provider check it fast
any body know anywhere to provide this services with a good price?
I would like to use different Class C IP ranges across my domains for better cross linking. Of course, all domains are closely related to a particular niche.
I am currently on imountain.com, they have been extremely helpful and good. But wondering if same host can provide me different class C IP range?
want to confirm this before i order a new server from them.
or should i just go for another hosting provider? wondering anyone as good as imountain?