Re: Blocking External IP Addresses

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 18 Feb 2003 11:22:54 -0800

That needs to be a judgment call on your part.
If you see a lot of oddball (i.e., you don't publish that service) requests
from a particular IP, then you need to do some sleuthing.
Do :
1. a ping -a against the IP
2. an nslookup against it
3. a whois against it

Basically, you have to learn the difference between truly malicious activity
and normal network noise.

http://www.samspade.org  offers a free tool that makes this kind of research
comparatively brain-dead.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message -----
From: "Sean Faust" <sfaust@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, February 18, 2003 10:01
Subject: [isalist] Blocking External IP Addresses


http://www.ISAserver.org


Good Afternoon All,

When reviewing the logs and noticing repeated All Port Scans from a
particular IP Address is it a good idea and is it possible to have the
external interface refuse any connection attempts by that IP address?  and
if so what is the most efficient way to block an external IP address from
hitting the external interface?


Thanks

Sean Faust
Director, Network Services
American Red Cross
Atlanta Chapter
Office (404) 575-3123
Cell(404) 909-0778
sfaust@xxxxxxxxxx




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Blocking External IP Addresses
• » Re: Blocking External IP Addresses

1. Home
2. isalist
3. Archive
4. 02-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---