IP Ban Questions

[foy1der]

Hi all,
I just got a message from RemoteAlert that there was a fail attempt to get into my network. I'm wondering what the best way to block the attempted hacker's IP would be. Is there a way that you can do it with a d-link router? My brother (MCSE) told me that there is a way to it in Server 2003, so it should be possible to do it in WHS. A search for an addon that would do it came up with nothing. What do you guys think?

[dvn]

As a past co-admin of a game server, I remember it was fairly trivial for someone to circumvent IP-blocking by forcing their ISP to issue a new IP address. (We ended up banning by GUID for this reason, but that's besides the point.) I'd keep an eye on the logs and notice if that same IP keeps popping up. Then you could notify the ISP of his actions. At the least, it puts the offender on his ISP's radar. Basically, I feel you're safe as long as you have a reasonably secure password. That's my thoughts on it. Someone else will have to pitch in on the technical details of how to block by IP if you still want to do that.

[usacomp2k3]

Agreed. Even if you could, it is trivial enough to get a new IP, that its not going to stop any real hacker.

[dvn]

So, funny story. I got to wondering if my router could block IP's, just out of curiosity. So I look, but nothing. I happen to notice the router logs so I figure I'll have a look while I was in there. And, what the!?? Someone is connected to my main PC. Right now! Am I hax'd?? What's going on? Geez, I'm always so cautious. At least I thought I was. I notice an IP from Canada. hm... International haxxor? Then I notice what turns out to be my brother's IP address. Oh! (+ doh!) Long story made short, it turns out these access events are Skype contacts. I can tell by the port number which I forwarded. Deep breath...sheepish grin...

[usacomp2k3]

Haha. That's great. Good job investigating and solving the mystery!

[foy1der]

I feel pretty good with my passwords. I also just finished reading the topic from katardrax. I think it would make for a good discussion on the podcast. I think security really is something that we all take for granted until something doesn't work right.

Sorry about changing topics in this thread, my fingers just started walking and I couldn't stop them.

[roddy]

As far as I know, 2003's default Windows Firewall does not have that level of control. What you can do is block all connections (this is default) and only allow connections to certain port numbers, or any port opened by certain applications. You can also specify for each port, one or more IP ranges from which you want to ACCEPT connections. If you want more control, you will need a 3rd party application.

For my money though, I don't think it's worth playing cat and mouse with specific IPs, or even IP ranges. I prefer to just lock down my resources and whoever wants to try can be my guest. If they start consuming too much of my bandwidth, then maybe I'd have to do something more, but so far that hasn't happened. Crossing my fingers

[jmwills]

I totally agree. The use of very strong passwords and reviewing all default properties of your router. I am now playing withe the "Tomato Software" for my WRTG54GT router. Very nice interface and very scalable.

[geek-accountant]

I loaded Tomato one an old router which I now only use as an access point (I actually have this one as an unsecured wireless AP). It had better options than the stock firmware, but I can't remember if it had any decent filtering settings.

You may want to look at pfSense (home made router) and use a package called Snort. I used to use this until I added the Untangle UTM. If Snort detects a rule violation, it will block the IP address for an hour or so. You can check here (http://doc.pfsense.org/index.php/Setup_Snort_Package) for a few screen shots.