From owner-freebsd-questions@FreeBSD.ORG Sat Mar 29 09:07:47 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8264837B401 for ; Sat, 29 Mar 2003 09:07:47 -0800 (PST) Received: from out004.verizon.net (out004pub.verizon.net [206.46.170.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7416D43FAF for ; Sat, 29 Mar 2003 09:07:46 -0800 (PST) (envelope-from leblanc@keyslapper.org) Received: from keyslapper.org ([68.160.158.62]) by out004.verizon.net (InterMail vM.5.01.05.27 201-253-122-126-127-20021220) with ESMTP id <20030329170745.QEZA10550.out004.verizon.net@keyslapper.org> for ; Sat, 29 Mar 2003 11:07:45 -0600 Received: from keyslapper.org (localhost [127.0.0.1]) by keyslapper.org (8.12.3/8.12.3) with ESMTP id h2TH7lRC077100 for ; Sat, 29 Mar 2003 12:07:47 -0500 (EST) (envelope-from leblanc@keyslapper.org) Received: (from leblanc@localhost) by keyslapper.org (8.12.3/8.12.3/Submit) id h2TH7kiY077099 for freebsd-questions@freebsd.org; Sat, 29 Mar 2003 12:07:46 -0500 (EST) Date: Sat, 29 Mar 2003 12:07:46 -0500 From: Louis LeBlanc To: freebsd-questions@freebsd.org Message-ID: <20030329170746.GA76439@keyslapper.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <3.0.5.32.20030329082518.0142ed68@sage-one.net> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <3.0.5.32.20030329082518.0142ed68@sage-one.net> User-Agent: Mutt/1.5.3i X-Authentication-Info: Submitted using SMTP AUTH at out004.verizon.net from [68.160.158.62] at Sat, 29 Mar 2003 11:07:45 -0600 Subject: Re: Annoying RedAlert.com activity X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2003 17:07:49 -0000 On 03/29/03 08:25 AM, Jack L. Stone sat at the `puter and typed: > This is semi-OT, but is a FBSD firewall question. > > Every day, I see this in the logs: > 65.194.51.136 - - [29/Mar/2003:00:26:47 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.133 - - [29/Mar/2003:00:26:47 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.131 - - [29/Mar/2003:00:26:49 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.135 - - [29/Mar/2003:00:26:50 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.132 - - [29/Mar/2003:00:26:52 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.134 - - [29/Mar/2003:00:26:55 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.155 - - [29/Mar/2003:00:28:24 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.156 - - [29/Mar/2003:00:29:14 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.137 - - [29/Mar/2003:00:30:45 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.154 - - [29/Mar/2003:00:34:13 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.152 - - [29/Mar/2003:00:34:21 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.151 - - [29/Mar/2003:00:34:50 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > 65.194.51.165 - - [29/Mar/2003:00:34:52 -0600] "HEAD / HTTP/1.0" 200 0 "-" > "RedAlert.com" > > Question: > At the "redalert.com" web site, they claim to be a server monitoring > service, but I've never signed up for the service and don't want this daily > waste of BW that appears on all of my web servers. It is annoying and I > would like to block their network via the firewall. > > Based on the above, what would be the best choice of how to block the network: > 65.194.51.?/? > > Thanks for any suggestions.... I'd start with any of the 'contact us' links that are probably all over their website. You never know, they may have inadvertently started monitoring your websites, or your upstream provider might have signed themselves or you up. If it has something to do with your upstream provider, bring up the added bandwidth issue, and ask how that affects your monthly bill. I'm sure someone can simply stop these hits at the source. Failing that, look up the IP block and just block that range: $ whois -h whois.arin.net 65.194.51.165 UUNET Technologies, Inc. UUNET65 (NET-65-192-0-0-1) 65.192.0.0 - 65.223.255.255 Keynotes systems UU-65-194-51 (NET-65-194-51-0-1) 65.194.51.0 - 65.194.51.255 This is a pretty broad range, so you might want to start with a range you know redalert uses (.131-.165), then just expand it as you get new messages. HTH Lou -- Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Many a writer seems to think he is never profound except when he can't understand his own meaning. -- George D. Prentice