Banning an IP
I've been getting massive requests from an anonymous IP, but not through Apache, it is coming through port 1900 (See my post here about SSDP requests)
How can I block this IP from accessing my server altogether? I know how to keep them out of Apache, but not from the server wholly.
Thanks
mairving posted this at 21:59 — 28th October 2002.
They have: 2,256 posts
Joined: Feb 2001
You can add them to your /etc/hosts.deny file. Just make sure that your hosts.allow is set to all, then you can specify an IP to deny in hosts.deny.
Here is an article that may help you on the port:
Port 1900
Mark Irving
I have a mind like a steel trap; it is rusty and illegal in 47 states
nike_guy_man posted this at 22:46 — 28th October 2002.
They have: 840 posts
Joined: Sep 2000
How could a Windows file be attacking my Linux system??
hagar posted this at 23:33 — 28th October 2002.
They have: 104 posts
Joined: Oct 2002
any machine can attack any other machine existing on a network, the platforms arent that important. Whats more interesting is that you said this is getting past your router..
now SSDP on port 1900 uses UDP and TCP do you have both protocols blocked? Port 5000 is also a port associated with UPNP in TCP/UDP which should also be blocked specifically. Port 1901 is a Fujitsu ICL Terminal Emulator Program connection port(fjicl-tep-a), which is rather weird that its trying to connect to you.
this is the info i gathered at MS(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-054.asp) about their vulnerability which I have no idea HOW it could KILL a red hat box(other then packet flood), but here it is FYI anyway:
A vulnerability results because the UPnP service does not correctly handle certain types of invalid UPnP requests. On Windows 98, 98SE, and ME systems, receiving such a request could cause a variety of effects ranging from slow performance to system failure. On Windows XP, the effect is less serious as the flaw consists of a memory leak. Each time a Windows XP system received such a request, a small amount of system memory would become unavailable; if repeated many times, it could deplete system resources to the point where performance slowed or stopped altogether.
If your server is seriously getting bombarded, this might be some form of poorly executed Denial of Service Attack(cause the attack doesnt know you are using a non MS boxen). It isnt killing the server cause it isnt vulnerable, but it will obviously slow your connection bandwidth. You been angering script kids lately?
This might also perhaps be a very eager port scan across your IP range? Your ISP might have more info.
"I ’ll make thee glorious by my pen, And famous by my sword." - James Graham, Marquess of Montrose (1612–1650)
nike_guy_man posted this at 23:53 — 28th October 2002.
They have: 840 posts
Joined: Sep 2000
I'll continue this thread over at http://www.webmaster-forums.net/showthread.php?s=&threadid=19503 as it pertains to that more
hagar posted this at 23:57 — 28th October 2002.
They have: 104 posts
Joined: Oct 2002
lol this issue is getting hard to follow:)
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.