Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: deny access

From: "John R. Morris" <jrmorris () nerdality com>
Date: Thu, 25 Nov 2004 22:22:04 -0500
Carlos Garcia wrote:
newbie question how can i block this ip 216.212.33.185 i have a cisco 7200 this ip is trying to send mail with my server, i did not configure the router so i dont know how to do this any help? 


Atte.
Carlos A. Garcia G.
Cabonet Staff
Tel (624) 14 30120




From your question, I gather that:
A> You have a 7200; so this is a business presumably and not home?
B> You didn't configure it, and don't know much about Cisco's or IOS.
If A&B are true. Don't mess with the router. Whatever is problematic about this situation will not be made better by "fixing" the router.
If A is wrong and it's your home router, by all means, feel free to play with it and learn, after assuring you have adequate reference material downloaded & saved locally, and the first thing to learn is how to copy the config off to a TFTP server. 

-Then-

Check out Cisco ACLs:
http://www.nwc.com/907/907ws1.html
http://www.routergod.com/donking/

Further googling on Cisco IOS & ACL will be of help.
You could also add a static route to that ip using the route command, but that's not the right way to implement this, as traffic inbound from that ip will still arrive (responses will just get misrouted). Definitely implement enough ACL on your router to at least prevent spoofed IPS and other bogus address-space (you can add a deny for this host there if you wish).
You may also want to consider host based firewalls (IPtables, etc) for your mail server, it's pretty easy to block an IP on a given host.
Finally, don't use your router as a firewall. While it's appropriate to use ACL for ingress/egress filtering of invalid addresses and such, and if you squint, lower port numbers or blocking access to a NFS server or such, if you find yourself doing a lot of this, you need a firewall in addition to a router. Firewalls are much more powerful and useful in doing this than your router, including stateful inspection and so forth.
Thirdly, if your mail server is *allowing* someone to send mail that has no legitimate reason to be sending mail, you don't just need to block their IP, you need to fix your mail server to not be an open relay. Otherwise, if they are just hammering your bandwidth/server definitely block the IP at the router or host level, whichever is easier.
If you just quickly want to stop someone from that IP sending mail through your server: Do this (OS really doesn't matter, the syntax might vary a bit) from a shell or command prompt on that server: 
Windows: route add 216.212.33.185 MASK 255.255.255.255 <your server IP here>
*Windows is messed up that way, on most other OSes you can route to loopback... sigh. 
Unix/Linux: route add -host 216.212.33.185 127.0.0.1
Then, after that, proceed to look into more useful forms of host firewalls, fixing your mailer's open relay if that is what's the root problem, etc. Feel free to post a more detailed account of what's wrong and folks on here will try to point you in the right direction. That null route will at least alleviate the immediate problem, if they are using TCP to talk to your mail server (25/TCP is pretty standard so I would think so), and allow you to proceed. 

Well, I'm headed back to the turkey and television now.

Later.

~John
Previous By Date Next
Previous By Thread Next

Current thread: