|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Keeping a particular intruder outIf this is OT, then I apologise.
I'm running 2003 Standard, basically to host my wife's hobby sites. I monitor the logs for intrusion attempts, and persistent offenders get barred using a simple IPSEC implementation. However, I cannot stop a plague of visits from msnbot/0.9 supposedly originating from IP 65.55.246.129 My thoughts are: 1. IPSEC isn't working (but I've tested it and it appears OK) 2. M$ have left themselves a backdoor (unlikely, I would hope) 3. msnbot is spoofing it's IP Any thoughts? From where are you getting the IP? The IIS logs?
IPsec uses the IP as actually in use, where as the IP logged in the IIS logs seems to be from the http headers. I have run into this before when trying to subvert pests with IPsec barring rules when apparently the originating machine is behind a NAT so that there is an outer IP in actual use by the network stack that you much determine in order to block with IPsec. Show quoteHide quote "Peter" <m*@privacy.net> wrote in message news:sfidnRyUYPbaYQbZnZ2dnUVZ8sydnZ2d@pipex.net... > If this is OT, then I apologise. > > I'm running 2003 Standard, basically to host my wife's hobby sites. > > I monitor the logs for intrusion attempts, and persistent offenders get > barred using a simple IPSEC implementation. > > However, I cannot stop a plague of visits from msnbot/0.9 supposedly > originating from IP 65.55.246.129 > > My thoughts are: > > 1. IPSEC isn't working (but I've tested it and it appears OK) > 2. M$ have left themselves a backdoor (unlikely, I would hope) > 3. msnbot is spoofing it's IP > > Any thoughts? "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in news:uwo7hjtlGHA.1240 @TK2MSFTNGP05.phx.gbl:> From where are you getting the IP? The IIS logs? Yes> IPsec uses the IP as actually in use, where as the IP logged in So it seems.> the IIS logs seems to be from the http headers. I have run into > this before when trying to subvert pests with IPsec barring rules > when apparently the originating machine is behind a NAT so > that there is an outer IP in actual use by the network stack > that you much determine in order to block with IPsec. Thanks for replying... I can always fall back on to plan 'B' (which is a home-grown ISAPI filter on the 'mod_rewrite' principle) so it's not the end of the world, but can IPSEC (or any other IIS feature) be persuaded to part with the 'true' IP information I want? (2003 + SP1, if that is relevant) Not a clean, neat built-in way that captures the correlation with
what is seen in the IIS logs, at least not that I know of. There are ways to get the network stack view, but that is uncorrelated. -- Show quoteHide quoteRoger Abell Microsoft MVP (Windows Server : Security) "Peter" <m*@privacy.net> wrote in message news:i8SdnRNR9571jgHZRVnytA@pipex.net... > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in news:uwo7hjtlGHA.1240 > @TK2MSFTNGP05.phx.gbl: > >> From where are you getting the IP? The IIS logs? > > Yes > >> IPsec uses the IP as actually in use, where as the IP logged in >> the IIS logs seems to be from the http headers. I have run into >> this before when trying to subvert pests with IPsec barring rules >> when apparently the originating machine is behind a NAT so >> that there is an outer IP in actual use by the network stack >> that you much determine in order to block with IPsec. > > So it seems. > > Thanks for replying... > > I can always fall back on to plan 'B' (which is a home-grown ISAPI filter > on the 'mod_rewrite' principle) so it's not the end of the world, but can > IPSEC (or any other IIS feature) be persuaded to part with the 'true' IP > information I want? > > (2003 + SP1, if that is relevant) On Fri, 23 Jun 2006 09:35:51 -0500, Peter <m*@privacy.net> wrote:
Show quoteHide quote >If this is OT, then I apologise. You're looking at trying to implement an intrudion detection system in> >I'm running 2003 Standard, basically to host my wife's hobby sites. > >I monitor the logs for intrusion attempts, and persistent offenders get >barred using a simple IPSEC implementation. > >However, I cannot stop a plague of visits from msnbot/0.9 supposedly >originating from IP 65.55.246.129 > >My thoughts are: > >1. IPSEC isn't working (but I've tested it and it appears OK) >2. M$ have left themselves a backdoor (unlikely, I would hope) >3. msnbot is spoofing it's IP > >Any thoughts? IIS, which isn't the best way to handle this. Jeff 
Other interesting topics
|
|||||||||||||||||||||||
