Security :: Block Certain Crafted Packets With IP Tables Before Reaching A Server?
Mar 14, 2011
Battlefield 2 server being attacked by packets that creates infinite loop, then when a player disconnects, server crash.
The packets seems to be always the same.....
Attacker Script: [URL]
Script in action:
[Code].....
I need to find a way to block these 4 packets (i think theyre 4 for what i tested) with IP TABLES.
EDIT: There seem to be other different replies, maybe 1 different but no more.... maybe you can find something useful in the script.
View 3 Replies
ADVERTISEMENT
Jun 8, 2011
My VPS host a mail, blog and web site. So i want to block port i not use. The port that i use is 80,21,2022,443. The other port will be drop. I want to block bad packet and all packet that not related. Can anyone how to write in iptables?
View 2 Replies
View Related
Dec 3, 2010
using layer 7 filtering how to block the ftp packets?..
In My router i am going to add a below rule.... iptables -A OUTPUT -m layer7 --l7proto tcp --dport 20 -j DROP
above statement will it work in my router?.
View 1 Replies
View Related
Sep 6, 2010
I'm noodling around with Ubuntu 10.4.1, latest updates and kernel (2.6.32.24?).Anyway, I run ClamAv as root and it goes fine through almost all of my system (huge amount of it), including several virtual devices, where it hangs on pan0, which has some association with my network (eth0 would be for wired connection, and wlan0 for wireless, and pan0 is listed also, but I'm not at that machine right now, so I can't tell why it shows up. wlan0 is what I use to connect to the internet).Is there an issue for clamAV with virtual devices? Any workaround? I had to terminate the scan after it stayed hung for over 5 minutes on pan0.
View 6 Replies
View Related
Jul 9, 2010
I want to block a domain name in sendmail server. I added the domain name and "REJECT"in /etc/mail/access file. What has to be done for the changes to take effect? when i run make command in /etc/mail dir i get following error : make: Nothing to be done for `all'.
View 1 Replies
View Related
Mar 24, 2011
i am using RHEL 5. i configured proxy server. now i want block one website.
View 2 Replies
View Related
Aug 26, 2009
I want to block some ip address that are attacking my server and making my ssh port busy. On searching the google, I found
Code:
iptables -A INPUT -s ip_address -j DROP
I will add this rule in iptables. My questions are:
1) do I have to do
Code:
chkconfig iptables on
so that it load the iptables at boot. I am wondering why do I need this because iptables is already modified and it loads the iptables at boot time if firewall is enabled.
2) When we add the above rule, which file is modified? Another way, where are this rules stored? It is not in /etc/sysconfig/iptables and /etc/sysconfig/iptables_config.
View 1 Replies
View Related
Jun 23, 2009
securing VNC connections by tunneling the connection over SSH. However, from the server perspective it will still allow an unsecured connections and you're relying on the client to setup up the SSH tunneling. Is there a way to configure the Linux server to now allow connection over an unsecured channel?
View 4 Replies
View Related
Aug 30, 2010
i need to write a program in c that can sniff packets from Ethernet and distinguish RTP packets from Non-RTP packets, i have no idea what should i do
View 9 Replies
View Related
Aug 17, 2010
I am having a web server (apache) and 3 sites are hosted in it, named as www.web1.com,www.web2.com and www.web3.com.
I need to restrict www.web2.com to Internet users and allow only to local network. At same time I need to allow www.web1.com and www.web3.com to both Internet and LAN users.
View 2 Replies
View Related
Mar 1, 2011
We have 4 servers having rhel 5.2. We have several users logged in on one of them. We have nis server/client running on them and have common home area mounted on all of them. Now we want to disable/block the accounts of the users who have not accessed our servers in last 2 months from today.What logic should we apply to do so? We were checking stat of .bashrc of each user but is not correct logic. We are going to write shell script for the same. We dont want to do anything in users home area or their files.
View 11 Replies
View Related
Jul 22, 2010
I have setup a squid server on Rhel5.4. I would like to know how I can configure my squid server to block anon proxy sites.
View 3 Replies
View Related
May 15, 2010
I have a problem as following: "using iptables to prevent IP spoofing".
View 4 Replies
View Related
Mar 13, 2010
We have an internal application which takes below 10% cpu usage normally. However sometimes it hit above 85% or more (and stays there) causing the server to become very slow. Currently we have to monitor this manually, kill the process and manually start it.
command / script that will kill the process (using pid will be the best option as i think) when it reaches 85% or higher
(I saw another question that suggested to use monit but I have to get this done using the standard commands available in the current installation - RHEL5)
View 1 Replies
View Related
May 16, 2011
How do I redirect all the UDP traffic on port 27016 of my current dedicated server to a new IP port 27015 using IP tables?
View 1 Replies
View Related
Apr 7, 2010
I have a Belkin N router setup with a virtual server to port 80 to 192.168.2.2 which my server sits on.
However, for some reason, I can get to the server from other PC's on the Router, but from outside, it will not port to the Server?
Any ideas on how to setup this?
I have Windows Webserver 2008 installed running on a 3.0GHZ Server.
View 2 Replies
View Related
Apr 30, 2011
i dont know why packets dropped? and something else what are those numbers for default policy in [] means?this is rules:
Code:
# Generated by iptables-save v1.4.4 on Sun May 1 00:09:57 2011
*mangle
[code]....
View 9 Replies
View Related
Sep 1, 2010
I setup a SSH server on my computer on a very high port, so that my brother could surf the web through my computer from Iran, since the majority of websites are filtered there.
Today, he told me he cannot connect to my computer. That's why, I got suspicious that they are doing packet based filtering instead of port. Then I decided to change the port to 433 for https, but one of my friend told me that they just banned https in Iran as well.
I was wondering if there's any way I can manipulate SSH packets between two computers so that my brother's ISP won't figure out he's exchanging SSH packets?
View 2 Replies
View Related
Dec 17, 2010
My machine is trying to communicate with another computer. I�ve blocked the traffic with this machine with iptables (input and output traffic), but I want to find the origin of this traffic. There�re 90% of probabilities it�s a trojan, and I want to find it.I have logged the packets with iptables (and then dropped), but with this I don�t know the proccess source.I�ve tried with netstat -o, but I don�t get nothing.How can I see the Process source (i.e. the PID) of this traffic?The traffic are TCP packets, with SYN flagged active (my machine is trying to establish a connection with that IP).
View 9 Replies
View Related
Oct 18, 2010
I am trying to figure out what command to use to show the number of DROPPED and INVALID packets that the firewall is handling.I'm going to put these commands into a log analyzer script which will run every 15 minutes with cron. The firewall is running and operating the way I want it to. I'm running CentOS 5.4.
View 2 Replies
View Related
Apr 6, 2011
i have configured racoon (ipsec tunnel) between 2 hosts and i am afraid of unencrypted ICMP which appears in TCPDUMP logs. There ale also encrypted ESP packets. Is this result of wrong racoon configuration?
172.16.220.133
Code:
[root@localhost ~]# cat /etc/racoon/racoon.conf
# racoon.conf
path pre_shared_key "/etc/racoon/psk.txt" ;
remote anonymous
[Code]...
View 1 Replies
View Related
May 3, 2010
I keep finding packets that appear to be whois on port 44. they appear to originate from me to whois.arin.net (2 packets each time) and 199.212.0.43 (also 2 packets each time) when I put 199.212.0.43 in the URL box it says "Failure To Connect To Web Server". when I whois it it says:
Quote:
Available at [url] And yes, I did get the same packets when I used whois. Why is my computer randomly whoising stuff?
View 3 Replies
View Related
Jul 17, 2009
In my network I have 25 workstations and some serves. Everything working in local LAN with firewall. The problem is that on one machine (I dont know which one) is installed software which sending data to the internet. Actually I dont know what it is. Last time as I remember was trojan which can create new network interfaces in windows and send some data to the internet. The half speed of my network connection is used by this infected machine. How can I detect which machine it is? How can I listen/capture some traffic and analyze from which machine I have more connections.
Please take a look on this time. Instead of 141-150ms should be 4-5ms.
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=1 ttl=249 time=141 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=2 ttl=249 time=135 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=3 ttl=249 time=147 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=4 ttl=249 time=127 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=5 ttl=249 time=156 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=6 ttl=249 time=129 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=7 ttl=249 time=188 ms
How can I detect which machine is infected using only linux and keyboard ?
View 5 Replies
View Related
Feb 10, 2010
I have a small network with 4 users, a Win2003 server for LAN/security functions, and a Dell Blade server running Ubuntu 8.04.1 which runs as our web server on port 80. I manage the Ubuntu server with Webmin v1.42Yesterday, my users weren't able to access the internet nor were they able to receive mail, etc. and no one could access any of the website hosted on the webserver. However, the internal users could access each other's PCs and internal printers and devices - just nothing outside.
I began to troubleshoot: I could see a lot of activity on the Router/Firewall on the port connected to the Ubuntu server. When I unplugged the server, everyone could immedately connect to the internet. So, the problem was originating with that server.When I logged in to the Ubuntu server using Webmin, I checked System>Running Processes and right at the top of the list was the process:ID Owner CPU Command23184 www-data 98.1% ./s 174.120.164.186 7777When I drilled down on this process it said that the parent process was:/bin/sh -c ./s 174.120.164.186 7777I pressed the Trace Process button and it appears to be sending the following repeatedly:Time System Call Parameters Returnxxxx send 125,0123456789ABCDE,15,0 15So, I manually Killed the process and added a rule to my firewall/router to block an IP range that includes 174:120:164:186
A few hours later the same process stars again in Ubuntu,, effectively plugging up my pipeline to the internet and preventing access to the websites being hosted.It suspect that there is some kind of virus on my Ubuntu machine but have no idea how to locate and destroy it. I am relatively new to the Ubuntu world and would appreciate anyone's help immensely! I just don't know what to do!
View 9 Replies
View Related
Mar 17, 2010
On April 10, 2010, I upgraded some packages on my Ubuntu 9.04 server. This included an upgrade to "ufw 0.27-0ubuntu2". I rebooted the server, and all appeared to be fine.
Now I've noticed that UFW is not logging blocked packets since that reboot. It used to do this. It is still logging the allowed packets that I've configured it to log.
Here's what a "ufw status verbose" says code...
View 2 Replies
View Related
Jun 6, 2010
I was testing the security of my Ubuntu 10.04 64bit install by running a port scan from [URL] and I came upon some odd results. It appears that basically all my ports are closed, but only Port 646 is dropping packets silently. Furthermore, Port 80 is open.
View 5 Replies
View Related
Apr 21, 2010
Just wanted input for this script i have cobbeled together. Its not done yet. I am trying to think of ways to close up my outgoing while maintaining full functionality of my laptop ( irc, web stuff, a torrent or two, etc.) . Anyways, I have done some myself; as well as, pulling bits and pieces from other stuff out on the web. I am starting to wonder why i have to write a specific rule to check for spoofed packets if my default input is set top drop. wouldnt it be caught?
Code:
#!/bin/bash
### Laptop + Desktop: No Forwarding firewall ip4 / ip6
### Distro > Debian / Ubuntu.
### oliverteasley@gmail.com
[Code]....
View 12 Replies
View Related
Sep 1, 2009
I switched over to Fedora a couple of days ago. I'm using the built-in firewall shipped with it but I can't find out how to enable logging of dropped packets. Among others I'd like to use psad that needs firewall logging. Is there an easy way to do this? I'm not an iptables "expert".
View 6 Replies
View Related
Jan 3, 2011
how can i drop igmp port 0 packets with iptables rule? my log file is full of this router advertisement.
View 2 Replies
View Related
Aug 13, 2011
I want to capture all packets from site "www.examplesite.com" so I checked its ip address in an ip address look up and it was 123.456.abc.def.So I set my filter to "dst host 23.456.abc.def"However I then realised that multiple ip address point to ww.examplesite.com, for example say the following ips also go to987.654.321.000111.222.333.444So is there a filter that will automatically capture all traffic going to www.examplesite.com or do I have to go and manually find all it's ip addresses and pass them all to the filter?
View 2 Replies
View Related
