[NTLUG:Discuss] Killing Bad People

Tue Feb 5 14:09:53 CST 2002

Actually these are the addresses of people who have port scanned me - tryed
to log in - ftp - or acted in a malicious way towards my boxes - the main
site that is just killing me is wanadoo.fr (a french company that operates
several HUGE net blocks) - if you look in your logs you will have entries
from these jerks. Anyway I am taking each one of these entries which you see
below and dropping the entire subnet - is there a better way to kill all of
these people without just doing (/sbin/iptables -A INPUT -s
93.253.52.0/24  -d 0/0 -j DROP) for each little subnet? I mean how can I
kill EVERYONE at wanadoo.fr - (/sbin/iptables -A INPUT -s wanadoo.fr -d
0/0 -j DROP) does not work!

Someone on this list has to have had problems with wanadoo.fr and found a
way to fix this issue

avalence-101-1-1-99.abo.wanadoo.fr (193.253.225.99): anonymous - 124 Time(s)
afontenayssb-101-1-1-65.abo.wanadoo.fr (193.251.4.65): anonymous - 16
Time(s)
astrasbourg-202-1-4-78.abo.wanadoo.fr (80.13.160.78): anonymous - 43 Time(s)
ca-ol-bordeaux-32-251.abo.wanadoo.fr (80.8.80.251): anonymous - 27 Time(s)
APuteaux-105-1-2-201.abo.wanadoo.fr (80.11.22.201): anonymous - 74 Time(s)
APuteaux-105-1-2-201.abo.wanadoo.fr (80.11.22.201): anonymous - 39 Time(s)
ANice-102-1-2-227.abo.wanadoo.fr (193.253.219.227): anonymous - 27 Time(s)
ALamentin-101-1-2-101.abo.wanadoo.fr (80.13.210.101): anonymous - 43 Time(s)
AOrleans-102-1-1-210.abo.wanadoo.fr (193.253.52.210): anonymous - 84 Time(s)
AOrleans-102-1-1-210.abo.wanadoo.fr (193.253.52.210): anonymous - 135
Time(s)
AOrleans-101-1-2-201.abo.wanadoo.fr (193.253.194.201): anonymous - 46
Time(s)
AFontenayssB-107-1-1-77.abo.wanadoo.fr (80.11.81.77): anonymous - 13 Time(s)
abesancon-102-1-1-173.abo.wanadoo.fr (217.128.56.173): anonymous - 22
Time(s)
alille-103-1-2-230.abo.wanadoo.fr (80.11.97.230): anonymous - 38 Time(s)
AVelizy-101-1-5-198.abo.wanadoo.fr (217.128.35.198): anonymous - 142 Time(s)
ABoulogne-103-1-2-215.abo.wanadoo.fr (217.128.27.215): anonymous - 29
Time(s)
ARennes-201-1-2-65.abo.wanadoo.fr (217.128.73.65): anonymous - 15 Time(s)
ALille-203-1-2-180.abo.wanadoo.fr (217.128.243.180): anonymous - 137 Time(s)
amontsouris-103-1-4-117.abo.wanadoo.fr (80.13.155.117): anonymous - 14
Time(s)
aplessis-bouchard-102-1-4-170.abo.wanadoo.fr (80.11.100.170): anonymous - 59
Time(s)
aplessis-bouchard-102-1-4-170.abo.wanadoo.fr (80.11.100.170): anonymous -
117 Time(s)
user at anantes-101-1-3-178.abo.wanadoo.fr (217.128.66.178) attempted to log
into out ftp server multiple times guesing usernames and passwords - and
once eventrying to log in as root

----- Original Message -----
From: "GWH Technical Training" <ghaass1 at airmail.net>
To: <discuss at ntlug.org>
Sent: Tuesday, February 05, 2002 2:07 PM
Subject: Re: [NTLUG:Discuss] Killing Bad People

> I am assuming you are just setting up the tables to lock these guys out,
> but are the IPs from a list of people that have tapped your machines???
> or was this list posted somewhere...I am  a little confused here...
>
> Please give the background , as I am not familiar with this French
> site...
>
> g
>
> =============================================================
>
>
>
> "Daniel L. Shipman" wrote:
>
> > Wanadoo.fr - VERY VERY Bad people - I just thought I'd share and ask
> > for comments on what I'm doing here - I have had NIGHTMARES from
> > wanadoo.fr FTP entry attempts - I have a firewall infront of my
> > servers - but on the servers themselves I am running this little shell
> > script:#!/bin/sh
> >
> > IPT="/sbin/iptables"
> >
> > #Time to clean house
> >
> > #Clear out any existing firewall rules, and any chains that might have
> > #been created
> > -----   SNIP   ----- etc...
> ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿá¶Úÿÿü0Ãùí-èÿ¢¸?T¨¥T©ÿ-+-SwèýØ¬rë,