Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Member
Join Date: Jan 2010
Posts: 40
#1 (permalink)  
Old 05-04-2010, 12:09 AM
Default Top hacker hn.kd.ny.adsl ??

Hi all,

This guy has tried many times to scan and attack directly to my server. After searching it online and I found many complains to this one, hn.kd.ny.adsl.

Is that possible for Astaro to block a guy based on his MAC address instead of IP address in web admin? Actually, I have my customized firewall before Astaro, and I know his MAC address 00:24:b2:03:b5:52 after receiving many email alerts from psad and iptables log.

Thanks,

Hsinan
Reply With Quote
Moderator
Join Date: Jul 2001
Location: southern California
Posts: 12,064
#2 (permalink)  
Old 05-04-2010, 06:01 PM
Default

That MAC address is your ISP!

Barry
__________________
http://BlogSec.net
http://JobOyster.com
http://DealBert.net
IT Consultant specializing in high-performance Web Infrastructure and Security.
Astaro End-user since v1.x
  • ASL 9.2x, HP DL360G5 - FW, IPS, VPNs
  • ASL 9.2x, 2 Dell 1950's as WAF/proxy w HA
  • UTM 9.1x, Atom n270, 2GB RAM, 2 Intel GigE
    Netgear GS108T gigE switch & Astaro AP30 Access Point with 4 VLANs.
    60/60mbit FiOS internet.
  • Pending - UTM 9.2x, i5-4670, 4GB RAM, 2 Intel GigE
    Needs new NIC drivers before deploying
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 21,129
#3 (permalink)  
Old 05-04-2010, 07:53 PM
Default

Barry, Do you think he has a Netgear in front of his Astaro?

MAC_Find: Vendor/Ethernet/Bluetooth MAC Address Lookup and Search

Cheers - Bob
PS Hsinan, I think the MAC address is not "transported" in the datagram, that it's just the address from the last bounce before you got the packet.
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Member
Join Date: Jan 2010
Posts: 40
#4 (permalink)  
Old 05-04-2010, 09:13 PM
Default

Hi Bob, Barry,

Sorry I didn't update it after I found I was wrong.

Yes, it's my netgear router. I have a netgear router followed by my customized firewall, and then Astaro. Astaro has two WANs so my internal LAN and servers in DMZ can keep connected only if my ISP is down.

So, do you have any suggestion to block this guy? If you google "hn.kd.ny.adsl", you will see so many complains to it.

Thanks,

Hsinan
Reply With Quote
Billybob's Avatar
Wizard
Join Date: Jul 2006
Location: United States
Posts: 1,848
#5 (permalink)  
Old 05-04-2010, 10:37 PM
Default

Quote:
Originally Posted by Hsinan View Post
If you google "hn.kd.ny.adsl", you will see so many complains to it.
Seems like the script looks for open proxies etc and does port scan. Is your astaro even live on the internet or is it double natted or tripple natted.

All the proxies running on astaro are secure, i would be more concerned about the box that you put together by yourself in front of astaro. If you are not publishing any servers then I don't see what the paranoia is all about

They are going to add geo ip blocking for mail security in v8 if that is the server you are worried about.
Reply With Quote
Member
Join Date: Jan 2010
Posts: 40
#6 (permalink)  
Old 05-04-2010, 11:04 PM
Default

Hi Billybob,

The reason I put my customized server in front of Astaro is because I can easily block some IP addresses permanently and automatically. For Astaro, I need to add them manually. However, Astaro is the best UTM I have tried so far and I want virus scan feature to protect my DMZ and LAN.

For "hn.kd.ny.adsl", I think it's not so easy to block. First, it changed IP often. Putting IP address there is not efficient. Second, it tried not only port scan but also all kind of attacks for emails, spam, web and Brute force attack. I want to block it without providing any service.

Any better idea?

Thanks,

Hsinan
Reply With Quote
Billybob's Avatar
Wizard
Join Date: Jul 2006
Location: United States
Posts: 1,848
#7 (permalink)  
Old 05-05-2010, 01:59 AM
Default

Quote:
Originally Posted by Hsinan View Post
The reason I put my customized server in front of Astaro is because I can easily block some IP addresses permanently and automatically.
Don't know if it is feasible but you can always block all chinese IP ranges.

http://www.ipdeny.com/ipblocks/data/countries/cn.zone

But still I don't get the point. If your firewall and IPS are working as they are supposed to most of the trivial network scans and proxy scans are just part of being connected to the internet. You are just seeing it more closely because of your advanced gear. I guess one can always unplug the cord before going to bed j/k
Reply With Quote
Member
Join Date: Jan 2010
Posts: 40
#8 (permalink)  
Old 05-05-2010, 04:30 AM
Default

The interesting part for me to study and implement firewall myself is that there are many solutions and control by yourself. Since this is a Astaro forum, I would not talk here how I do it. However, the current topic for me is how to block this guy in one shot! :-)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 08:18 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.