From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from ns1.sunset.net ([205.161.255.5] helo=onyx.sunset.net) by speech.braille.uwo.ca with esmtp (Exim 3.36 #1 (Debian)) id 1HGHHC-0005cM-00 for ; Sun, 11 Feb 2007 11:10:06 -0500 Received: from sunset.net (198-69-250-11.chico.ca.digitalpath.net [198.69.250.11]) by onyx.sunset.net (8.12.11.20060308/8.12.10) with ESMTP id l1BG8D5W013856 for ; Sun, 11 Feb 2007 08:08:13 -0800 Received: (from rreid@localhost) by sunset.net (8.13.8/8.13.8/Submit) id l1BGA0GF031934 for speakup@braille.uwo.ca; Sun, 11 Feb 2007 08:10:00 -0800 Date: Sun, 11 Feb 2007 08:10:00 -0800 From: "Ralph W. Reid" To: "Speakup is a screen review system for Linux." Subject: Re: hacking attempts Message-ID: <20070211161000.GA31372@sunset.net> References: <007501c74d36$296e0f80$6401a8c0@development> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <007501c74d36$296e0f80$6401a8c0@development> User-Agent: Mutt/1.4.2.2i X-src-ip: 198.69.250.11 X-BeenThere: speakup@braille.uwo.ca X-Mailman-Version: 2.1.9 Precedence: list Reply-To: "Speakup is a screen review system for Linux." List-Id: "Speakup is a screen review system for Linux." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Feb 2007 16:10:06 -0000 If all of the attempts were from the same IP, you can block traffic from an IP address with something like: iptables --append INPUT -p udb -s -j DROP replacing with the offending IP address. This idea might be overly simple for what you really should do for some firewalling--you might have to start learning iptables after all. What exactly do you mean by the IP range of 22 to 249 anyway--was this part of the IP address from where the scan originated? If the udp port in question is not to be used from outside your system in any case, a simple block of that port could look something like: iptables --append INPUT -p udp -i eth0 --destination-port -j DROP where is the number of the port you wish to block, and eth0 represents ethernet port 0 (change as your system requires). Depending on the requirements for your system, this might be too simple of an approach as well--you will have to decide. Also, that kind of scan seems to be highly unsophisticated, so it might have been run by a 'kiddie script'. Since the individual who ran it does not appear to be very experienced at scanning systems, contacting the systems administrator of the company where the scan came from might be in order--samples of your system logs could give the powers that be at that ISP/company a clue as to the individual or system which originated the scan, and they can then take appropriate action as needed. HTH, and have a great day. On Sat, Feb 10, 2007 at 10:09:00AM -0700, Littlefield, tyler wrote: > Hello list, > I just had someone bomb the hell out of my system on a udp port, moving from ip of 22 to 249. > My logwatch was huge. > Is there a way I can block things like this? > I'm not sure how to set up iptables, and don't really have a whole lot of time to go through a huge 300000 page tutorial. > Thanks, > Tyler Littlefield > Unlimited horizons head coder. > check out our website: > tysplace.homelinux.net > msn: compgeek134@hotmail.com > aim: st8amnd2005 > skype: st8amnd127 -- Ralph. N6BNO. Wisdom comes from central processing, not from I/O. rreid@sunset.net http://personalweb.sunset.net/~rreid ...passing through The City of Internet at the speed of light... COSECANT (x) = COTAN (x) / TAN (x)