Re: IPSEC not blocking specific IP address per Ethereal
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/18/05
- Next message: Steven L Umbach: "Re: Strange DNS problem"
- Previous message: Alfredo: "IPSEC not blocking specific IP address per Ethereal"
- In reply to: Alfredo: "IPSEC not blocking specific IP address per Ethereal"
- Next in thread: Duane Arnold: "Re: IPSEC not blocking specific IP address per Ethereal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Apr 2005 16:19:45 -0500
Try to block it from a specific IP address that you have and then see if
that works blocking that IP address. Use telnet to verify that port is open
or not. It may take a reboot to refresh the ipsec policy. Not always, but I
have seen that to be the case before. You can also use netdiag to see the
filters that the computer is currently using as in [ netdiag /test:ipsec
/debug ]. --- Steve
"Alfredo" <alfredo@KILL_SPAM_megapath.net> wrote in message
news:4264152b.621719565@news.megapath.net...
> Win2k advanced server, updated service packs, IP sec with a few pinholes
> for some daemons, port blocking working well per GRC's "Shields UP",
> etc.
>
> However, when I try to block a specific IP address by using IPSEC, the
> packets get through anyway according to my ethereal sniffer which is
> running on the same machine. I have added a very specific filter
> against those IPs but ethereal still shows their packets getting in past
> the front door.
>
> (At least that's what I think is happening, it could be that ethereal is
> capturing the packets before IPSEC gets to block them, which would be
> worrisome because that would certainly be an exploitable
> vulnerability.)
>
> The hacker (a worm, really) is attacking ports 139 and 445. The packets
> come in but my machine does not respond, probably because the port
> blockers are working. Yes, I am blocking specific ports rather than
> "everything else", I have my reasons, it's temporary, please ignore this
> idiosyncracy, the filter against this IP is specific enough that IPSEC
> should match it and block it.
>
> Anyway when I try to block this specific IP from sending any packets at
> all, it's as if the filter didn't do any work whatsoever. Ethereal
> shows the evil packets coming in as they please.
>
> Here is how I have configured IPSec:
> IP FILTER LISTS:
> httpd allow
> smtpd allow
> other daemons allow
> VulnerablePorts block
> evil ips block
>
> EVIL IPS: (only 1 ip is "evil" right now)
> Mirrored: yes
> Description: ips known to be evil
> Protocol: (I've tried both ANY and TCP)
> Source Port: ANY
> Dest Port: (I've tried ANY and 445 and 139)
> Source DNS name: A specific IP addr
> Source Address: aaa.bbb.ccc.ddd (the specific worm's IP)
> Source Mask: 255.255.255.255
> Destination DNS: Any IP address
> Destination Address: (Tried both "My IP Addr" and "Any IP addr")
> Destination Mask: 0.0.0.0
>
> I then click OK all the way out so all IPSEC and MMC windows are closed,
> but Ethereal shows the packets still flooding in from that IP.
>
> Any ideas, tips, tricks, and rumors greatly appreciated. Thanks!
>
- Next message: Steven L Umbach: "Re: Strange DNS problem"
- Previous message: Alfredo: "IPSEC not blocking specific IP address per Ethereal"
- In reply to: Alfredo: "IPSEC not blocking specific IP address per Ethereal"
- Next in thread: Duane Arnold: "Re: IPSEC not blocking specific IP address per Ethereal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
