Re: Utility to automate updating list of IP Address to Deny Acess
From: Douglas Martin (dsmrtn_at_pacbell.net)
Date: 06/06/03
- Next message: Harry: "SSL Setup"
- Previous message: siddharth khare: "RE: dcomcnfg.exe interactive user vs launching user"
- In reply to: Karl Levinson [x y] mvp: "Re: Utility to automate updating list of IP Address to Deny Acess"
- Next in thread: Douglas Martin: "Re: Utility to automate updating list of IP Address to Deny Acess"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 5 Jun 2003 15:39:37 -0700
I appreciate your advice. I run a little self-educational
lab, I have a firewall, and just enough ports open to do
what I need to do. I have resisted (for no good reason)
changing from the default port 80. Port 80 is getting
hit, and it appears they haven't gotten into anything yet -
and it looks like most of the children try once or twice
and quit. A couple are persistent little boys and these I
want to filter out.
I know how to read my logs interactively to identify the
problem kids and create a distinct list of IPs that aren't
already on the list that I want to add to the list of
those denied, and I was just going to automate the process
as most of the activity occurs in the wee hours of the
morning.
doug
>-----Original Message-----
>I really am not sure this sort of thing [active response]
is a great idea.
>First, doing this in IIS instead of the firewall does
nothing to prevent
>attacks on the other 65,000 TCP and UDP ports. Second,
doing this arguably
>does little to improve your security, since presumably
you are looking for
>attacks that are already known and have been patched by
you in some way.
>Third, you can start having problems with legitimate
people being blocked...
>which on some sites can turn into loss of sales or other
negative
>impressions of your organization on the part of someone
valuable to your
>organization. Fourth, by the time you discover and block
future inbound
>attempts, sufficient malware or a non-IIS related session
might already
>present to permit continued control of your server.
>
>
>"Douglas Martin" <dsmrtn@pacbell.net> wrote in message
>news:07f701c32b6c$6ecbfaf0$a001280a@phx.gbl...
>>
>> >-----Original Message-----
>> >On Wed, 4 Jun 2003 20:45:30 -0700, Douglas Martin
wrote:
>> >
>> >> I'm running IIS6 and am getting a fair amount of
>> hackers
>> >> hitting my little server. They are not getting in,
but
>> I
>> >> don't like the persistence of some of these folks.
>> >>
>> >> I trimmed my httperr1.log file to a distinct list of
>> IPs I
>> >> want to add, but I was hoping there is a utility
that I
>> >> can use to batch these up, or maybe some objects to
>> call
>> >> from within VBS or something?
>> >>
>> >> The GUI Wizard just isn't going to do it for me.
>> >>
>> >> Also, what is the performance penalty for having a
lot
>> of
>> >> entries in the list of IP addresses to seach for
>> denying
>> >> access?
>> >>
>> >> regards,
>> >>
>> >> doug
>> >
>> >Something like this?
>> >http://www.iisfaq.com/default.aspx?View=A136
>> >
>> >--
>> >
>> >Alessandro Perilli
>> >Security Consultant / Trainer
>> >
>> >MCT - MCSE 2000 - LINUX+
>> >CCSI - CCSE 2000 - CCSE+ NG
>> >CCNA - CIWP - CIWSA - CCA XP
>> >SECURITY+
>> >.
>> >
>>
>> Yes, ummm, something like that - actually exactly like
>> that. I did a few searches looking for this, but must
not
>> have used the right keywords. Thank you.
>>
>> doug
>
>
>.
>
- Next message: Harry: "SSL Setup"
- Previous message: siddharth khare: "RE: dcomcnfg.exe interactive user vs launching user"
- In reply to: Karl Levinson [x y] mvp: "Re: Utility to automate updating list of IP Address to Deny Acess"
- Next in thread: Douglas Martin: "Re: Utility to automate updating list of IP Address to Deny Acess"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
