Re: HELP IIS automatically adds IP address to the deny list !!!!

From: Ahmed Ameen (ahmedameen_at_gmail.com)
Date: 11/10/04

  • Next message: Doug Massey: "Re: Secure FTP Client"
    Date: Wed, 10 Nov 2004 14:58:47 +0200
    
    

    I found the cause for my problem, its MOM 2005. it has this rule that
    is on by defult that monitors IIS logs, and automatically adds IP's of
    hosts sending hacking traffic to the IP restriction list.

    By the way I called ISS and they said they don't have this
    functionality at least not to add it in the IIS block list.

    Thanks all for ur replies

    On Wed, 10 Nov 2004 21:43:06 +1300, Hayden Searle
    <hayden.searle@safecom.co.nz> wrote:
    >
    > There are guys on this list from ISS so they will be able to tell you if
    > I am wrong here, but it could be the integration of the host sensor and
    > IIS being on the same box. With the tuning of the site protector
    > 'policy' there may well be something in there that says "automatically
    > block addresses which do x y amount of times' or something similar. This
    > could be triggered by false positives, due to lack of tuning, or it
    > could just be a setting that is resident in the host sensor if you
    > aren't running a full ISS IDS implementation.
    >
    > IS guru's please let me know if I am wrong...but if I'm right it just
    > goes to show it's a powerful product.
    >
    > If all else fails and none of the ISS guys reply log a support request
    > with them to see if they have any ideas.
    >
    > Regards
    >
    > Hayden Searle
    > Network Security Specialist
    >
    > -----Original Message-----
    > From: Ahmed Ameen [mailto:ahmedameen@gmail.com]
    > Sent: Tuesday, 9 November 2004 9:09 p.m.
    > To: security-basics@securityfocus.com
    > Subject: HELP IIS automatically adds IP address to the deny list !!!!
    >
    > Hi I have IIS 5 and ISS host sensor on it, we have been facing a
    > problem of IP's being added automatically to the "ip address and
    > domain name restriction".
    >
    > Does any one know what can be doing that ...
    >
    > --
    > Regards
    > Ahmed Ameen
    > #####################################################################################
    > Important: This electronic message and attachments (if any) are confidential
    > and may be legally privileged. If you are not the intended recipient do not
    > copy, disclose or use the contents in any way. Please let us know by return
    > e-mail immediately and then destroy this message.
    > #####################################################################################
    >

    -- 
    Regards
    Ahmed Ameen
    

  • Next message: Doug Massey: "Re: Secure FTP Client"