ConfigServer Community Forum

The challange is to block all scanalert.com scans as they are apparently used by hackers to probe our servers.

Okay, so for the past two months we have collected all the scanalert IPs that we can and we have inserted these in an world accessible (via URL) list, and then inserted the URL in the GLOBAL_DENY = slot with an LF_GLOBAL = value of 1800

At first this seemed to work fine, but for the past week or so, I am getting several of these kinds of notices per day that involve IPs that should be blocked, i.e. that are in the GLOBAL_DENY list:

-----------------------
Time: Mon Oct 29 15:37:13 2007
IP: 216.35.7.105 (sc4-scan37.scanalert.com)
Failures: 12 (webmail)
Interval: 45 seconds
Blocked: Yes

Log entries:

216.35.7.105 - 0 [10/29/2007:20:37:01 -0000] "POST /login/ HTTP/1.1" webmaild: user name not specified or invalid user
216.35.7.105 - >"><script>alert(123)<script><" [10/29/2007:20:37:02 -0000] "POST /login/ HTTP/1.1" webmaild: user password hash is missing from system (user probably does not exist)
216.35.7.105 - 0 [10/29/2007:20:37:02 -0000] "POST /login/ HTTP/1.1" webmaild: user name not specified or invalid user
216.35.7.105 - 0 [10/29/2007:20:37:03 -0000] "POST /login/ HTTP/1.1" webmaild: user name not specified or invalid user
...... etc. etc. etc
-----------------------

Could there be something wrong with our IPTables?

Thanks very much for any help here.

Anything?

I guess the basic question is this:

If an IP is in the GLOBAL_DENY list, then why am I still receiving notices that we are still being hit with fake log-ins, etc. by this same IP?

No idea, is the IP listed in the GDENY chain? If so, make sure the IP isn't being allowed via a rule or chain before it hits GDENY in the INPUT chain.