P
Phil Murnane
Folks:
I'm running Windows 2000 Server SP4 (with all critical updates from
windowsupdate.microsoft.com), and am having a strange problem with
IPSec -- at least Network Monitor says I am.
I run IIS, and every day I check the http & ftp logs for attacks on my
server. When I find one, I add the attacker's IP address to the IP
Filter List in my policy, which is set to Block. Windows disregards
the packets from then on, and all is well. I've been doing this for
about a year with no problems.
Today I tried to block IP address 213.222.11.228, but according to
Network Monitor, I'm still sending/receiving TCP data to/from this
address. I tried replacing the specific IP address with an entry to
block the whole subnet, but that didn't help.
Anyone have a guess as to what's going on? Is there perhaps a maximum
number of entries permitted in an IP Filter List? Does any malicious
code exist out there that defeats Windows IPSec?
According to ARIN, 213.222.11.228 is RIPE Network in Amsterdam, which
has always been a hotbed of malicious activity in my experience, so
I'm kind of anxious to get this traffic stopped.
This is what my IPSec policy looks like:
IPSec Policy Name: Default
Policy Assigned: Yes
"Default" Properties:
Rules Tab:
IP Filter List: Hackers
Filter Action: Block
Authentication: Preshared Key (I've tried changing the PSK, but no
improvement)
Tunnel Setting: None
Connection Type: All
General Tab:
[everything at windows defaults]
Rule Properties:
IP Filter List: Hackers (contains hundreds and hundreds of addresses)
Filter Action: Block (contains security method: Block)
Authentication Methods: Preshared Key
Tunnel Setting: This rule does not specify an IPSec tunnel
Connection Type: All network connections
Sample IP Filter List entry:
Addressing Tab:
Source Address: A specific IP address
IP Address: www.xxx.yyy.zzz
Subnet Mask: 255.255.255.255
Destination Address: Any IP address
Mirrored: [selected]
Protocol Tab:
Protocol: Any
Thanks In Advance for Any Help,
--Phil
I'm running Windows 2000 Server SP4 (with all critical updates from
windowsupdate.microsoft.com), and am having a strange problem with
IPSec -- at least Network Monitor says I am.
I run IIS, and every day I check the http & ftp logs for attacks on my
server. When I find one, I add the attacker's IP address to the IP
Filter List in my policy, which is set to Block. Windows disregards
the packets from then on, and all is well. I've been doing this for
about a year with no problems.
Today I tried to block IP address 213.222.11.228, but according to
Network Monitor, I'm still sending/receiving TCP data to/from this
address. I tried replacing the specific IP address with an entry to
block the whole subnet, but that didn't help.
Anyone have a guess as to what's going on? Is there perhaps a maximum
number of entries permitted in an IP Filter List? Does any malicious
code exist out there that defeats Windows IPSec?
According to ARIN, 213.222.11.228 is RIPE Network in Amsterdam, which
has always been a hotbed of malicious activity in my experience, so
I'm kind of anxious to get this traffic stopped.
This is what my IPSec policy looks like:
IPSec Policy Name: Default
Policy Assigned: Yes
"Default" Properties:
Rules Tab:
IP Filter List: Hackers
Filter Action: Block
Authentication: Preshared Key (I've tried changing the PSK, but no
improvement)
Tunnel Setting: None
Connection Type: All
General Tab:
[everything at windows defaults]
Rule Properties:
IP Filter List: Hackers (contains hundreds and hundreds of addresses)
Filter Action: Block (contains security method: Block)
Authentication Methods: Preshared Key
Tunnel Setting: This rule does not specify an IPSec tunnel
Connection Type: All network connections
Sample IP Filter List entry:
Addressing Tab:
Source Address: A specific IP address
IP Address: www.xxx.yyy.zzz
Subnet Mask: 255.255.255.255
Destination Address: Any IP address
Mirrored: [selected]
Protocol Tab:
Protocol: Any
Thanks In Advance for Any Help,
--Phil