Re: Windows 2000 IPSec Not Blocking Traffic
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 09/23/04
- Next message: Steven L Umbach: "Re: Content Advisor - major problem"
- Previous message: Steven L Umbach: "Re: Missing security tab"
- In reply to: Phil Murnane: "Windows 2000 IPSec Not Blocking Traffic"
- Next in thread: Phil Murnane: "Re: Windows 2000 IPSec Not Blocking Traffic"
- Reply: Phil Murnane: "Re: Windows 2000 IPSec Not Blocking Traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Sep 2004 03:49:47 GMT
I have never added that many addresses to a rule and don't know if there is a limit
or not. What you could try is to delete five or so old entries to see if that makes a
difference and then maybe unassign and then assign the policy again. Another thing to
try is to create a new identical rule in your policy with a different name to see if
there is a possible limit that may apply to a rule but not a policy. Also look in
Event Viewer for any errors and run the netdiag support tool to test ipsec as in "
netdiag /test:ipsec /debug " to see if it reports a problem.. --- Steve
"Phil Murnane" <pjmurnane@yahoo.com> wrote in message
news:1052ac4d.0409221301.573e15af@posting.google.com...
> Folks:
>
> I'm running Windows 2000 Server SP4 (with all critical updates from
> windowsupdate.microsoft.com), and am having a strange problem with
> IPSec -- at least Network Monitor says I am.
>
> I run IIS, and every day I check the http & ftp logs for attacks on my
> server. When I find one, I add the attacker's IP address to the IP
> Filter List in my policy, which is set to Block. Windows disregards
> the packets from then on, and all is well. I've been doing this for
> about a year with no problems.
>
> Today I tried to block IP address 213.222.11.228, but according to
> Network Monitor, I'm still sending/receiving TCP data to/from this
> address. I tried replacing the specific IP address with an entry to
> block the whole subnet, but that didn't help.
>
> Anyone have a guess as to what's going on? Is there perhaps a maximum
> number of entries permitted in an IP Filter List? Does any malicious
> code exist out there that defeats Windows IPSec?
>
> According to ARIN, 213.222.11.228 is RIPE Network in Amsterdam, which
> has always been a hotbed of malicious activity in my experience, so
> I'm kind of anxious to get this traffic stopped.
>
> This is what my IPSec policy looks like:
>
> IPSec Policy Name: Default
> Policy Assigned: Yes
>
> "Default" Properties:
> Rules Tab:
> IP Filter List: Hackers
> Filter Action: Block
> Authentication: Preshared Key (I've tried changing the PSK, but no
> improvement)
> Tunnel Setting: None
> Connection Type: All
> General Tab:
> [everything at windows defaults]
>
> Rule Properties:
> IP Filter List: Hackers (contains hundreds and hundreds of addresses)
> Filter Action: Block (contains security method: Block)
> Authentication Methods: Preshared Key
> Tunnel Setting: This rule does not specify an IPSec tunnel
> Connection Type: All network connections
>
> Sample IP Filter List entry:
> Addressing Tab:
> Source Address: A specific IP address
> IP Address: www.xxx.yyy.zzz
> Subnet Mask: 255.255.255.255
> Destination Address: Any IP address
> Mirrored: [selected]
> Protocol Tab:
> Protocol: Any
>
> Thanks In Advance for Any Help,
> --Phil
- Next message: Steven L Umbach: "Re: Content Advisor - major problem"
- Previous message: Steven L Umbach: "Re: Missing security tab"
- In reply to: Phil Murnane: "Windows 2000 IPSec Not Blocking Traffic"
- Next in thread: Phil Murnane: "Re: Windows 2000 IPSec Not Blocking Traffic"
- Reply: Phil Murnane: "Re: Windows 2000 IPSec Not Blocking Traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
