Keeping a particular intruder out

If this is OT, then I apologise.

I'm running 2003 Standard, basically to host my wife's hobby sites.

I monitor the logs for intrusion attempts, and persistent offenders get
barred using a simple IPSEC implementation.

However, I cannot stop a plague of visits from msnbot/0.9 supposedly
originating from IP 65.55.246.129

My thoughts are:

1. IPSEC isn't working (but I've tested it and it appears OK)
2. M$ have left themselves a backdoor (unlikely, I would hope)
3. msnbot is spoofing it's IP

Any thoughts?

Re: Keeping a particular intruder out

From where are you getting the IP? The IIS logs?
IPsec uses the IP as actually in use, where as the IP logged in
the IIS logs seems to be from the http headers. I have run into
this before when trying to subvert pests with IPsec barring rules
when apparently the originating machine is behind a NAT so
that there is an outer IP in actual use by the network stack
that you much determine in order to block with IPsec.

"Peter" wrote in message
news:sfidnRyUYPbaYQbZnZ2dnUVZ8sydnZ2d@pipex.net...
> If this is OT, then I apologise.
>
> I'm running 2003 Standard, basically to host my wife's hobby sites.
>
> I monitor the logs for intrusion attempts, and persistent offenders get
> barred using a simple IPSEC implementation.
>
> However, I cannot stop a plague of visits from msnbot/0.9 supposedly
> originating from IP 65.55.246.129
>
> My thoughts are:
>
> 1. IPSEC isn't working (but I've tested it and it appears OK)
> 2. M$ have left themselves a backdoor (unlikely, I would hope)
> 3. msnbot is spoofing it's IP
>
> Any thoughts?

Re: Keeping a particular intruder out

"Roger Abell [MVP]" wrote in news:uwo7hjtlGHA.1240
@TK2MSFTNGP05.phx.gbl:

> From where are you getting the IP? The IIS logs?

Yes

> IPsec uses the IP as actually in use, where as the IP logged in
> the IIS logs seems to be from the http headers. I have run into
> this before when trying to subvert pests with IPsec barring rules
> when apparently the originating machine is behind a NAT so
> that there is an outer IP in actual use by the network stack
> that you much determine in order to block with IPsec.

So it seems.

Thanks for replying...

I can always fall back on to plan 'B' (which is a home-grown ISAPI filter
on the 'mod_rewrite' principle) so it's not the end of the world, but can
IPSEC (or any other IIS feature) be persuaded to part with the 'true' IP
information I want?

(2003 + SP1, if that is relevant)

Re: Keeping a particular intruder out

Not a clean, neat built-in way that captures the correlation with
what is seen in the IIS logs, at least not that I know of. There
are ways to get the network stack view, but that is uncorrelated.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Peter" wrote in message
news:i8SdnRNR9571jgHZRVnytA@pipex.net...
> "Roger Abell [MVP]" wrote in news:uwo7hjtlGHA.1240
> @TK2MSFTNGP05.phx.gbl:
>
>> From where are you getting the IP? The IIS logs?
>
> Yes
>
>> IPsec uses the IP as actually in use, where as the IP logged in
>> the IIS logs seems to be from the http headers. I have run into
>> this before when trying to subvert pests with IPsec barring rules
>> when apparently the originating machine is behind a NAT so
>> that there is an outer IP in actual use by the network stack
>> that you much determine in order to block with IPsec.
>
> So it seems.
>
> Thanks for replying...
>
> I can always fall back on to plan 'B' (which is a home-grown ISAPI filter
> on the 'mod_rewrite' principle) so it's not the end of the world, but can
> IPSEC (or any other IIS feature) be persuaded to part with the 'true' IP
> information I want?
>
> (2003 + SP1, if that is relevant)

Re: Keeping a particular intruder out

On Fri, 23 Jun 2006 09:35:51 -0500, Peter wrote:

>If this is OT, then I apologise.
>
>I'm running 2003 Standard, basically to host my wife's hobby sites.
>
>I monitor the logs for intrusion attempts, and persistent offenders get
>barred using a simple IPSEC implementation.
>
>However, I cannot stop a plague of visits from msnbot/0.9 supposedly
>originating from IP 65.55.246.129
>
>My thoughts are:
>
>1. IPSEC isn't working (but I've tested it and it appears OK)
>2. M$ have left themselves a backdoor (unlikely, I would hope)
>3. msnbot is spoofing it's IP
>
>Any thoughts?

You're looking at trying to implement an intrudion detection system in
IIS, which isn't the best way to handle this.

Jeff