[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Re: [RAQ4] Denying specific IP from DNS traffic

Subject: [cobalt-security] Re: [RAQ4] Denying specific IP from DNS traffic
From: "David Thacker" <Cobalt@xxxxxxxxxxxxxx>
Date: Tue, 18 Feb 2003 13:59:03 -0700
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> > How can I block this IP from reaching my server, specifically named?
Will
> > listing him in /etc/hosts.deny be effective, or will that not work
because
> > named doesn't go through inetd?
>
> Back to the original question of blocking dns:
>
> You can block the attacker with ipchains:
>
> $IPCHAINS -A input -p tcp -s 211.135.200.22 -d $YOURIP 53 -j DENY
> $IPCHAINS -A input -p udp -s 211.135.200.22 -d $YOURIP 53 -j DENY
>
> replace $IPCHAINS with the path to ipchains
> and $YOURIP with your IP address
>
> This will only block dns,  to block everything from this host, remove
> the '53'
>
>
> Regards
>
> Ian
> --


Ian, thanks for the tip.  It turns out that the attacking IP is now changing
on a daily basis, so it would just turn into a cat and mouse game.

BIND is refusing these requests anyway since they are not listed in my Zone
Transfer Access list, so I guess I'll just choose to ignore them and see if
they eventually go away.

David Thacker

Follow-Ups:
- Re: [cobalt-security] Re: [RAQ4] Denying specific IP from DNS traffic
  - From: Lance Rushing

Prev by Date: Re: [cobalt-security] HDD problems
Next by Date: Re: [cobalt-security] HDD problems
Previous by thread: Re: [OA Security] Re: [cobalt-security] HDD problems
Next by thread: Re: [cobalt-security] Re: [RAQ4] Denying specific IP from DNS traffic

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index