advanced ip banning

TrickyRic · - Joined: 02 May 2003 Posts: 10 Location: UK

hi, i hope you can help me here as ive had to stop my web server and close port 80 as a temporary solution :(

anyway, ive been having problems with a hacker, the access.log file created by abyss is showing this guy has accessed and run scripts on my server on 3 random occasions so far, each time he/she has surfed through proxy so i havnt been able to rip his ip, until today, when i was carefully reading the logs and realised on 1 occasion, he/she forgot to surf through proxy, was only connected for a split second but it meant i got the real ip address, i fed it through the databases on www.samspade.org and yes, its definately a real ip and not spoofed (i also got a lot of info on him which im wondering what to do with) anyway, i was wondering if they was any way of banning this real ip so even if he/she surfs through proxy, he/she still cant access my server? im running a win98 based server on a lan with an adsl router, unfortunately i cant find any settings in either windows or the router for banning ip addresses, ive spent a long time searching network security sites but i only seem to find information on banning an ip with iis, which is obviously no use to me as im using abyss and win98 uses pws instead of iis anyway.

any help or suggestions would be greatly appreciated, all i cant think of is to leave port 80 closed for 2 or more weeks and hope he/she decides i must have banned them and gives up, though this is unlikely and i dont want to have to do this every time a hack attempt is made.

thanks.

s1asher · - Joined: 20 Mar 2003 Posts: 53

Have you got a firewall installed on your PC?
Even if the router is using NAT, so your computer is not normally visible to the outside world, you should still use a firewall so you know what is attempting to connect to the net, and in this case, block IP address coming in through port 80.
All you should have to do is set the firewall to block this IP address.

TrickyRic · - Joined: 02 May 2003 Posts: 10 Location: UK

thanks, the router has a built in firewall 'supposedly, though ive not found settings for it' and all my machines were enabled with the windows firewall until i found out it contains spyware and a lot of security holes (not exactly a very good firewall then) anyway, i wasnt too sure about putting another firewall on the server as i was worried it would block one of my services (its an ftp, irc, and web server)

so would it be ok to use a firewall on that machine? and if so, is they a decent one that allows blocking f ip addresses for free?

if its any help, the log files show he/she is using cmd.exe (dos prompt) but i think its more likely to be telnet.

vbgunz · - Joined: 02 Feb 2003 Posts: 615 Location: Florida

http://kerio.com *the BETA* I know for sure blocks IP addresses... Not to sure about their stable version 2 though... I *think* it has IP blocking... Also, its splash free and the beta is very stable... Good luck :)
_________________
Victor B. Gonzalez
http://aeonserv.com

TrickyRic · - Joined: 02 May 2003 Posts: 10 Location: UK

looks good, will download it and see what i can do :)

once again these forums have helped where others have failed :) thanks

vbgunz · - Joined: 02 Feb 2003 Posts: 615 Location: Florida

Thats what a community is all about :)
_________________
Victor B. Gonzalez
http://aeonserv.com

TrickyRic · - Joined: 02 May 2003 Posts: 10 Location: UK

hmm, hate to bring bad news but it comes up with an error to say "incompatible rpc stub, installation will now terminate" or something, thats the error anyway, might not have been rpc.

thanks anyway, ill keep looking

s1asher · - Joined: 20 Mar 2003 Posts: 53

http://support.microsoft.com/default.aspx?scid=kb;en-us;321915
Microsoft have got a couple of solutions to this problem.

TrickyRic · - Joined: 02 May 2003 Posts: 10 Location: UK

ok thanks :)

s1asher · - Joined: 20 Mar 2003 Posts: 53

No problem :)