be - ban external

Support section for FREESCO v0.3.x

be - ban external

Postby syscon456 » Wed Mar 31, 2010 7:39 pm

Some script kiddie is trying to execute some code on my page from IP 118.68.252.222
"whois" indicates it belong to Vietnam block: 118.68.0.0 - 118.68.255.255

So I'm trying to block entire everything from this IPS
be,118.68.0.0/255.255.255.0
but I'm not sure it is working, as I've tried experimenting on blocking my external IP: 208.38.31.237
be,208.38.0.0/255.255.255.0

and I can still get through. What am I doing wrong?

Syscon
User avatar
syscon456
Junior Member
 
Posts: 45
Joined: Sat Feb 12, 2005 9:35 pm

Re: be - ban external

Postby Lightning » Thu Apr 01, 2010 7:55 am

An interesting thing to know is that depending on which log you are talking about. The IP addresses can be reversed because of a kernel issue. So it might actually be something like 118.68.252.222 is really 222.252.68.118
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12079
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: be - ban external

Postby syscon456 » Thu Apr 01, 2010 8:50 am

The IP from Vietnam "118.68.252.222" I think is correct and the block could be working OK, as I did not notice any suspicious activity from this block address.

However, the second IP I was experimenting with is my own second static IP address: 208.38.31.237
It is:
TELUS Communications Inc. NET-TAC-5 208.38.0.0 - 208.38.63.255
so I was just experimenting for curiosity if it really works; I entered into "Ban/Allow IP":
be, 208.38.0.0/255.255.255.0
but it did not work, I still see the IP address in my Web-server after blocking the entire subnet.
That is why I'm asking how it works if at all :-/

-- cat /etc/restrict.cfg --

be,123.22.0.0/255.255.255.0 #
be,118.68.0.0/255.255.255.0 #
be,208.38.0.0/255.255.255.0 #

Do I need to restart anything? I don't think so.

Syscon
User avatar
syscon456
Junior Member
 
Posts: 45
Joined: Sat Feb 12, 2005 9:35 pm

Re: be - ban external

Postby syscon456 » Thu Apr 01, 2010 9:34 am

Forgot to add that:
be,208.38.31.237 works OK but not:
be,208.38.0.0/255.255.255.0
User avatar
syscon456
Junior Member
 
Posts: 45
Joined: Sat Feb 12, 2005 9:35 pm

Re: be - ban external

Postby Lightning » Thu Apr 01, 2010 6:53 pm

be,208.38.31.237 works OK but not:
be,208.38.0.0/255.255.255.0

You have your subnets calculated wrong for the above to work.
If you are just testing that subnet with that IP address you would use

be,208.38.31.237
be,208.38.31.0/24
be,208.38.31.0/255.255.255.0
be,208.38.0.0/16
be,208.38.0.0/255.255.0.0

All of the above will block the IP address of 208.38.31.237 and or the extra subnets depending on how big a block you want to block. But there are LOTS of various variations of subnets. I recommend finding a good online subnet calculator when dealing with a range of IP addresses that you want to block to figure out the correct subnet mask.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12079
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: be - ban external

Postby syscon456 » Thu Apr 01, 2010 8:11 pm

Thank you for clarification, yes it works.
Indeed, I need some help with subnet calculation :-/

Syscon
User avatar
syscon456
Junior Member
 
Posts: 45
Joined: Sat Feb 12, 2005 9:35 pm

Re: be - ban external

Postby strampke » Sun Dec 05, 2010 9:04 am

Lightning I have a question for you.
After changing restrict.cfg Freesco does its 11 seconds test and restarts rc_masq.
Is that correct?
But what does it test:
/etc/restrict.cfg or /boot/etc/restrict.cfg
I am asking this question because I want to be shure that a change in restrict.cfg is 'hardcoded' in Freesco.
Anyone trying to change the conf by just restarting Freesco will get the /boot/etc/restrict.cfg as /etc/restrict.cfg
Who knows knows, who doesn't doesn't.
User avatar
strampke
Junior Advanced Member
 
Posts: 151
Joined: Mon Jul 29, 2002 12:36 pm
Location: Delden, Netherlands

Re: be - ban external

Postby Lightning » Sun Dec 05, 2010 2:14 pm

ALWAYS change the /etc/restrict.cfg

Even though this is the ramdisk version of the file in this particular case the system monitors this file and if it is changed it automatically restarts the firewall AND makes a hard copy backup at the same time. However the hard copy backup is filtered so that all of the comments are removed and ONLY the pertinent data is kept. So if you try and manually make the backup yourself it will cause system problems at the next reboot when the comments are added again to the same file and you will end up with a much larger file than what is needed. The /etc/passwd file is also monitored in the same manor, so it also never needs to be manually hard copied.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12079
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: be - ban external

Postby strampke » Sun Dec 05, 2010 5:42 pm

Thanks Lightning,
Swift and precise as always.
Strampke
Who knows knows, who doesn't doesn't.
User avatar
strampke
Junior Advanced Member
 
Posts: 151
Joined: Mon Jul 29, 2002 12:36 pm
Location: Delden, Netherlands


Return to FREESCO Support for v0.3.x

Who is online

Users browsing this forum: No registered users and 2 guests

cron