is there any way to block outside access via IP address through a linksys
wrt54g router? someone is running a script 24/7 for weeks now trying to
gain administrator access to my windows 2000 server webserver. i have the
IP but am unsure what to do with it. any help would be appreciated. below
is a small sample of my IIS logs. if i need a different router to be able
to block his IP, please recommend one.
thanks!

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2006-10-10 01:49:08
#Fields: time c-ip cs-method cs-uri-stem sc-status
01:49:08 211.93.134.228 [9]USER Administrator 331
01:49:08 211.93.134.228 [9]P*** - 530
01:49:08 211.93.134.228 [9]USER Administrator 331
01:49:10 211.93.134.228 [9]P*** - 530
01:49:10 211.93.134.228 [9]USER Administrator 331
01:49:10 211.93.134.228 [9]P*** - 530
01:49:11 211.93.134.228 [9]USER Administrator 331
01:49:11 211.93.134.228 [9]P*** - 530
01:49:11 211.93.134.228 [9]USER Administrator 331
01:49:13 211.93.134.228 [9]P*** - 530
01:49:13 211.93.134.228 [9]USER Administrator 331
01:49:13 211.93.134.228 [9]P*** - 530
01:49:14 211.93.134.228 [9]USER Administrator 331
01:49:14 211.93.134.228 [9]P*** - 530
01:49:14 211.93.134.228 [9]USER Administrator 331
01:49:16 211.93.134.228 [9]P*** - 530
01:49:16 211.93.134.228 [9]USER Administrator 331
01:49:16 211.93.134.228 [9]P*** - 530
01:49:17 211.93.134.228 [9]USER Administrator 331
01:49:17 211.93.134.228 [9]P*** - 530
01:49:17 211.93.134.228 [9]USER Administrator 331
01:49:18 211.93.134.228 [9]P*** - 530
01:49:18 211.93.134.228 [9]USER Administrator 331
01:49:18 211.93.134.228 [9]P*** - 530
01:49:20 211.93.134.228 [9]USER Administrator 331
01:49:20 211.93.134.228 [9]P*** - 530
01:49:20 211.93.134.228 [9]USER Administrator 331
01:49:21 211.93.134.228 [9]P*** - 530
01:49:21 211.93.134.228 [9]USER Administrator 331
01:49:21 211.93.134.228 [9]P*** - 530
01:49:22 211.93.134.228 [9]USER Administrator 331
01:49:22 211.93.134.228 [9]P*** - 530
01:49:22 211.93.134.228 [9]USER Administrator 331
01:49:23 211.93.134.228 [9]P*** - 530
01:49:23 211.93.134.228 [9]USER Administrator 331
01:49:23 211.93.134.228 [9]P*** - 530
01:49:25 211.93.134.228 [9]USER Administrator 331
01:49:25 211.93.134.228 [9]P*** - 530
01:49:25 211.93.134.228 [9]USER Administrator 331
01:49:26 211.93.134.228 [9]P*** - 530
01:49:26 211.93.134.228 [9]USER Administrator 331
01:49:26 211.93.134.228 [9]P*** - 530
01:49:27 211.93.134.228 [9]USER Administrator 331
01:49:27 211.93.134.228 [9]P*** - 530
01:49:27 211.93.134.228 [9]USER Administrator 331
01:49:29 211.93.134.228 [9]P*** - 530
01:49:29 211.93.134.228 [9]USER Administrator 331
01:49:29 211.93.134.228 [9]P*** - 530

--
Nathan in Montana
http://ConcealedCarryForum.com
http://1911Tech.com
http://GlockCarry.com

On Wed, 13 Dec 2006 22:15:06 -0700, "Nathan In Montana"
<EMAIL REMOVED> wrote:

>is there any way to block outside access via IP address through a linksys
>wrt54g router? someone is running a script 24/7 for weeks now trying to
>gain administrator access to my windows 2000 server webserver. i have the
>IP but am unsure what to do with it. any help would be appreciated. below
>is a small sample of my IIS logs. if i need a different router to be able
>to block his IP, please recommend one.
>thanks!

f you have a Unix-based site, use Ipchains or Iptables to block the IP
address from the server.

Matt

EMAIL REMOVED (Matt Probert) wrote:

> On Wed, 13 Dec 2006 22:15:06 -0700, "Nathan In Montana"
> <EMAIL REMOVED> wrote:
>
>>is there any way to block outside access via IP address through a
>>linksys wrt54g router? someone is running a script 24/7 for weeks now
>>trying to gain administrator access to my windows 2000 server
>>webserver. i have the IP but am unsure what to do with it. any help
>>would be appreciated. below is a small sample of my IIS logs. if i
>>need a different router to be able to block his IP, please recommend
>>one. thanks!
>
> f you have a Unix-based site, use Ipchains or Iptables to block the IP
> address from the server.

Uhm, router, Win2K server, IIS. Did you read the post? (Don't answer).

--
John Need help with SEO? Get started with a SEO report of your site:

--> http://johnbokma.com/websitedesign/seo-expert-help.html

"Nathan In Montana" <EMAIL REMOVED> wrote:

> is there any way to block outside access via IP address through a
> linksys wrt54g router? someone is running a script 24/7 for weeks now
> trying to gain administrator access to my windows 2000 server
> webserver. i have the IP but am unsure what to do with it.

Copy paste it after this URL, and contact the ISP that owns this IP
address. Tell them that a infected PC (zombie) is scanning your and
probably more networks.

http://www.spamcop.net/sc?track=


> any help
> would be appreciated. below is a small sample of my IIS logs. if i
> need a different router to be able to block his IP, please recommend
> one. thanks!

No experience with the linksys (yet). You probably forward port 80 to your
IIS server. Wouldn't worry too much about it. Bother the ISP enough, and
the problem will go away.


--
John Need help with SEO? Get started with a SEO report of your site:

--> http://johnbokma.com/websitedesign/seo-expert-help.html

Nathan In Montana wrote:

> is there any way to block outside access via IP address through a linksys
> wrt54g router?

Not sure about that particular model -- is there a newsgroup for Linksys
products? Might be more appropriate than aww.

> if i need a different router to be able to block his IP, please
> recommend one.

The ZyWALL products are quite nice -- perhaps overkill for a home user.

If you've got an old computer (233 MHz is probably fast enough) and a
couple of spare ethernet cards, then installing Linux on that and setting
up an iptables firewall will do the job cheaply, and you'll learn a lot
from it.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Fleeing from the madness of the jungle
Nathan In Montana <EMAIL REMOVED> stumbled into
news:alt.www.webmaster
and said:

> is there any way to block outside access via IP address through a linksys
> wrt54g router? someone is running a script 24/7 for weeks now trying to
> gain administrator access to my windows 2000 server webserver. ..

no idea about that router in particular, but you should create a new user
with administrator rights and disable the 'administrator' user.

oh yes, and please add one vote to the suggestion you employ an old PC as
an iptables firewall.

--
William T***o

http://williamt***o.com/words/what-is-usenet.asp

"John Bokma" <EMAIL REMOVED> wrote in message
news:Xns989911235873Bcastleamber@130.133.1.4...
> Copy paste it after this URL, and contact the ISP that owns this IP
> address. Tell them that a infected PC (zombie) is scanning your and
> probably more networks.

trouble is that IP originates in china. my own ISP has told me to not even
bother trying to shut down the IP. theyre currently working on blocking it
on their router to keep it from ever reaching mine. it runs literally 24/7
continually scanning my server.
thanks,

--
Nathan in Montana
http://ConcealedCarryForum.com
http://1911Tech.com
http://GlockCarry.com

"Nathan In Montana" <EMAIL REMOVED> wrote:

> "John Bokma" <EMAIL REMOVED> wrote in message
> news:Xns989911235873Bcastleamber@130.133.1.4...
>> Copy paste it after this URL, and contact the ISP that owns this IP
>> address. Tell them that a infected PC (zombie) is scanning your and
>> probably more networks.
>
> trouble is that IP originates in china. my own ISP has told me to not
> even bother trying to shut down the IP.

The USA is #1 for spam (see
http://www.spamhaus.org/statistics/countries.l***o ) but this doesn't mean
that reporting spam is useless.

I would say, give it a try, keep bothering them enough.

> theyre currently working on
> blocking it on their router to keep it from ever reaching mine. it
> runs literally 24/7 continually scanning my server.

Yeah, I know how those things can bother. It might even be an accident.
Some time ago I had someone download a file (blacklist) every 10 minutes
or so. After contacting the right people it was fixed. I still would
suggest to email the IP owner.

--
John Need help with SEO? Get started with a SEO report of your site:

--> http://johnbokma.com/websitedesign/seo-expert-help.html

"Nathan In Montana" <EMAIL REMOVED> writes:

> "John Bokma" <EMAIL REMOVED> wrote in message
> news:Xns989911235873Bcastleamber@130.133.1.4...
> > Copy paste it after this URL, and contact the ISP that owns this IP
> > address. Tell them that a infected PC (zombie) is scanning your and
> > probably more networks.
>
> trouble is that IP originates in china.

Shocking.


> my own ISP has told me to not even
> bother trying to shut down the IP.

I'd agree.

> theyre currently working on blocking it on their router to keep it
> from ever reaching mine. it runs literally 24/7 continually
> scanning my server. thanks,

I believe the wrt54g would have the ability to ban specific ip's. If
not in the stock firmware, certainly in the myriad of open source
firmwares avilable for it dd-wrt and the like.

But once you block one, I suspect another IP will grow to take its
place eventually--constant attacks are sort of a fact of life.

You might start investigating beefier firewalls that include intrusion
prevention features that'll automatically block these attempts beyond
a certain threshhold.

Best Regards,
--
Todd H.
http://www.toddh.net/

EMAIL REMOVED (Todd H.) wrote:

> "Nathan In Montana" <EMAIL REMOVED> writes:

[..]

>> trouble is that IP originates in china.
>
> Shocking.

You think it would have made a difference if it was the USA? My personal
experience is that the origin of an IP doesn't matter that much. There
isn't a fixed rule. Some garbage out of Russia gets fixed in a short time,
some USA providers don't care shit about issues like this.

Thinking: it's China, where the criminals live, is beyond naive.

--
John Need help with SEO? Get started with a SEO report of your site:

--> http://johnbokma.com/websitedesign/seo-expert-help.html