Women in Technology

Hear us Roar



Article:
  Filtering IDS Packets
Subject:   ip still in weblog after filtering
Date:   2005-09-03 01:49:31
From:   nbox
using a filtering system built in to my hosting account which offers allow or deny to these operations HTTP FTP POP SMTP Other .
i denied all of these operations from an ip of
219.150.118.16


others include:
219.150.128.202
219.150.128.98
219.150.129.14
64.4.195.62
69.50.179.217
165.254.12.100 - to name a few



but after denying 219.150.118.16 and the others
i still see this ip showing in my weblogs coming from various domains. the lastest being
http://www.cafexml.com/texas-holdem-poker.html
http://www.cafexml.com/free-poker-games.html
and other spawn pages off the same domain
yesterday it was same ip but different domain name http://www.page-not-found.net/something
i used a trace route program to get some of the other ip's. but if i continue i am afraid i might block some desirable traffic to my website
like a hop ip or something.
any help ??


also that cleaned up filter talk about
-nXvs 0 tcp and host 192.168.1.100
was interesting. i was thinking of sticking that in my .htaccess file but then realized i would not be able to read the information it gave i am on a linux system




Full Threads Oldest First

Showing messages 1 through 4 of 4.

  • ip still in weblog after filtering
    2005-09-03 06:16:28  don_parker [View]

    Hi there,

    I think you may be confusing BPF filters with IP Tab les syntax. Per your post here it sounds as if you are trying to use BPF filters to deny or allow traffic to your webserver. This will not work as BPF filters are for packet collection, and not for filtering IP's as it pertains to website access. Does this clarify?

    Cheers,

    Don
    • ip still in weblog after filtering
      2005-09-03 17:25:14  nbox [View]

      hi, will this line of code go in my htaccess file?

      iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j REJECT --reject-with tcp-reset

      if i want to block access?

      i just didnt understand when i added a 'new rule' to block that ip address via the linux gui
      why it still showed up in the log file.
      do the ip's still show up in the log when they are set to be denied all access? could it be a spoofed ip?
    • ip still in weblog after filtering
      2005-09-03 17:25:05  nbox [View]

      hi, will this line of code go in my htaccess file?

      iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j REJECT --reject-with tcp-reset

      if i want to block access?

      i just didnt understand when i added a 'new rule' to block that ip address via the linux gui
      why it still showed up in the log file.
      do the ip's still show up in the log when they are set to be denied all access? could it be a spoofed ip?
      • ip still in weblog after filtering
        2005-09-04 11:48:42  don_parker [View]

        Hi there,

        I am afriad that my IP Tables rule syntax is rusty due to lack of use, and I am not completely sure of your setup either. Due to that I would prefer not to give what could be potentially bad advice. Perhaps you could state the entire issue, and all the variables ie: Using Apache v2.x.x and all the other details.