[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: [RAQ4] Denying specific IP from DNS traffic
- Subject: [cobalt-security] Re: [RAQ4] Denying specific IP from DNS traffic
- From: "David Thacker" <Cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 18 Feb 2003 13:59:03 -0700
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> > How can I block this IP from reaching my server, specifically named?
Will
> > listing him in /etc/hosts.deny be effective, or will that not work
because
> > named doesn't go through inetd?
>
> Back to the original question of blocking dns:
>
> You can block the attacker with ipchains:
>
> $IPCHAINS -A input -p tcp -s 211.135.200.22 -d $YOURIP 53 -j DENY
> $IPCHAINS -A input -p udp -s 211.135.200.22 -d $YOURIP 53 -j DENY
>
> replace $IPCHAINS with the path to ipchains
> and $YOURIP with your IP address
>
> This will only block dns, to block everything from this host, remove
> the '53'
>
>
> Regards
>
> Ian
> --
Ian, thanks for the tip. It turns out that the attacking IP is now changing
on a daily basis, so it would just turn into a cat and mouse game.
BIND is refusing these requests anyway since they are not listed in my Zone
Transfer Access list, so I guess I'll just choose to ignore them and see if
they eventually go away.
David Thacker