Re: deny access
From: John R. Morris (jrmorris_at_nerdality.com)
Date: Thu, 25 Nov 2004 22:22:04 -0500 To: Carlos Garcia <firstname.lastname@example.org>
Carlos Garcia wrote:
> newbie question how can i block this ip 18.104.22.168 i have a cisco
> 7200 this ip is trying to send mail with my server, i did not
> configure the router so i dont know how to do this any help?
> Carlos A. Garcia G.
> Cabonet Staff
> Tel (624) 14 30120
From your question, I gather that:
A> You have a 7200; so this is a business presumably and not home?
B> You didn't configure it, and don't know much about Cisco's or IOS.
If A&B are true. Don't mess with the router. Whatever is problematic
about this situation will not be made better by "fixing" the router.
If A is wrong and it's your home router, by all means, feel free to play
with it and learn, after assuring you have adequate reference material
downloaded & saved locally, and the first thing to learn is how to copy
the config off to a TFTP server.
Further googling on Cisco IOS & ACL will be of help.
You could also add a static route to that ip using the route command,
but that's not the right way to implement this, as traffic inbound from
that ip will still arrive (responses will just get misrouted).
Definitely implement enough ACL on your router to at least prevent
spoofed IPS and other bogus address-space (you can add a deny for this
host there if you wish).
You may also want to consider host based firewalls (IPtables, etc) for
your mail server, it's pretty easy to block an IP on a given host.
Finally, don't use your router as a firewall. While it's appropriate to
use ACL for ingress/egress filtering of invalid addresses and such, and
if you squint, lower port numbers or blocking access to a NFS server or
such, if you find yourself doing a lot of this, you need a firewall in
addition to a router. Firewalls are much more powerful and useful in
doing this than your router, including stateful inspection and so forth.
Thirdly, if your mail server is *allowing* someone to send mail that has
no legitimate reason to be sending mail, you don't just need to block
their IP, you need to fix your mail server to not be an open relay.
Otherwise, if they are just hammering your bandwidth/server definitely
block the IP at the router or host level, whichever is easier.
If you just quickly want to stop someone from that IP sending mail
through your server:
Do this (OS really doesn't matter, the syntax might vary a bit) from a
shell or command prompt on that server:
Windows: route add 22.214.171.124 MASK 255.255.255.255 <your server IP here>
*Windows is messed up that way, on most other OSes you can route to
Unix/Linux: route add -host 126.96.36.199 127.0.0.1
Then, after that, proceed to look into more useful forms of host
firewalls, fixing your mailer's open relay if that is what's the root
problem, etc. Feel free to post a more detailed account of what's wrong
and folks on here will try to point you in the right direction. That
null route will at least alleviate the immediate problem, if they are
using TCP to talk to your mail server (25/TCP is pretty standard so I
would think so), and allow you to proceed.
Well, I'm headed back to the turkey and television now.