Need help with firewall.

Ask questions about dedicated servers here and we and other users will do our best to answer them. Please also refer to the self-help section for tutorials and answers to the most commonly asked questions.
Post Reply
paperb0y
New to forums
New to forums
Posts: 5
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Fri Aug 26, 2011 5:09 am

Need help with firewall.

Post by paperb0y »

How can I block this with the firewall?

Code: Select all

tcpdump: WARNING: vbr.13: no IPv4 address assigned
tcpdump: listening on vbr.13, link-type EN10MB (Ethernet), capture size 96 bytes
11:06:01.603432 IP (tos 0x0, ttl 116, id 58986, offset 0, flags [none], proto UDP (17), length 44)
    93.118.199.195.27005 > 74.91.112.223.27015: UDP, payload 16
	0x0000:  4500 002c e66a 0000 7411 7fe2 5d76 c7c3  E..,.j..t...]v..
	0x0010:  4a5b 70df 697d 6987 0018 ceda ffff ffff  J[p.i}i.........
	0x0020:  6765 7463 6861 6c6c 656e 6765            getchallenge
11:06:01.604273 IP (tos 0x0, ttl 128, id 547, offset 0, flags [none], proto UDP (17), length 56)
    74.91.112.223.27015 > 93.118.199.195.27005: UDP, payload 28
	0x0000:  4500 0038 0223 0000 8011 581e 4a5b 70df  E..8.#....X.J[p.
	0x0010:  5d76 c7c3 6987 697d 0024 e0a9 ffff ffff  ]v..i.i}.$......
	0x0020:  4130 3030 3030 3030 3020 3132 3638 3532  A00000000.126852
	0x0030:  3734 3434 2032 0a00                      7444.2..
11:06:01.769298 IP (tos 0x0, ttl 128, id 548, offset 0, flags [none], proto UDP (17), length 128)
    74.91.112.223.26900 > 72.165.61.187.27017: UDP, payload 100
	0x0000:  4500 0080 0224 0000 8011 f6ae 4a5b 70df  E....$......J[p.
	0x0010:  48a5 3dbb 6914 6989 006c 4218 5653 3031  H.=.i.i..lB.VS01
	0x0020:  4000 0700 0002 0000 006c 3c43 0000 0000  @........l<C....
	0x0030:  0700 0000 0100 0000 0000 0000 4000 0000  ............@...
	0x0040:  aede c399 e25c b44e 7b72 ec92 1053 b126  .....\.N{r...S.&
	0x0050:  ac21                                     .!
11:06:01.770272 IP (tos 0x0, ttl 116, id 58999, offset 0, flags [none], proto UDP (17), length 77)
    93.118.199.195.27005 > 74.91.112.223.27015: UDP, payload 49
	0x0000:  4500 004d e677 0000 7411 7fb4 5d76 c7c3  E..M.w..t...]v..
	0x0010:  4a5b 70df 697d 6987 0039 25be ffff ffff  J[p.i}i..9%.....
	0x0020:  7263 6f6e 2031 3236 3835 3237 3434 3420  rcon.1268527444.
	0x0030:  2231 3932 3230 3030 2220 6563 686f 2058  "1922000".echo.X
	0x0040:  4272 7574 6520 6279 205a 6561 4c         Brute.by.ZeaL
11:06:01.771810 IP (tos 0x0, ttl 128, id 549, offset 0, flags [none], proto UDP (17), length 148)
    74.91.112.223.27015 > 174.121.10.253.27600: UDP, payload 120
	0x0000:  4500 0094 0225 0000 8011 c383 4a5b 70df  E....%......J[p.
	0x0010:  ae79 0afd 6987 6bd0 0080 7542 ffff ffff  .y..i.k...uB....
	0x0020:  6c6f 6720 4c20 3036 2f32 392f 3230 3133  log.L.06/29/2013
	0x0030:  202d 2031 303a 3035 3a35 313a 2042 6164  .-.10:05:51:.Bad
	0x0040:  2052 636f 6e3a 2022 7263 6f6e 2031 3236  .Rcon:."rcon.126
	0x0050:  3835                                     85
11:06:01.771982 IP (tos 0x0, ttl 128, id 550, offset 0, flags [none], proto UDP (17), length 54)
    74.91.112.223.27015 > 93.118.199.195.27005: UDP, payload 26
	0x0000:  4500 0036 0226 0000 8011 581d 4a5b 70df  E..6.&....X.J[p.
	0x0010:  5d76 c7c3 6987 697d 0022 e0a7 ffff ffff  ]v..i.i}."......
	0x0020:  6c42 6164 2072 636f 6e5f 7061 7373 776f  lBad.rcon_passwo
	0x0030:  7264 2e0a 0000                           rd....
11:06:02.547287 IP (tos 0x0, ttl 128, id 551, offset 0, flags [none], proto UDP (17), length 128)
    74.91.112.223.26901 > 208.64.200.137.27017: UDP, payload 100
	0x0000:  4500 0080 0227 0000 8011 e441 4a5b 70df  E....'.....AJ[p.
	0x0010:  d040 c889 6915 6989 006c 5482 5653 3031  .@..i.i..lT.VS01
	0x0020:  4000 0600 0002 0000 0072 a9e6 0b00 0000  @........r......
	0x0030:  0700 0000 0100 0000 0b00 0000 4000 0000  ............@...
	0x0040:  236e 595a a669 8c8d 8067 d5c0 76d8 a5ae  #nYZ.i...g..v...
	0x0050:  a6d7                                     ..
11:06:02.587316 IP (tos 0x0, ttl 116, id 12409, offset 0, flags [none], proto UDP (17), length 44)
    89.231.185.178.13193 > 74.91.112.223.27015: UDP, payload 16
	0x0000:  4500 002c 3079 0000 7411 4774 59e7 b9b2  E..,0y..t.GtY...
	0x0010:  4a5b 70df 3389 6987 0018 166f ffff ffff  J[p.3.i....o....
	0x0020:  6765 7463 6861 6c6c 656e 6765            getchallenge
11:06:02.589263 IP (tos 0x0, ttl 128, id 552, offset 0, flags [none], proto UDP (17), length 55)
    74.91.112.223.27015 > 89.231.185.178.13193: UDP, payload 27
	0x0000:  4500 0037 0228 0000 8011 69ba 4a5b 70df  E..7.(....i.J[p.
	0x0010:  59e7 b9b2 6987 3389 0023 cf08 ffff ffff  Y...i.3..#......
	0x0020:  4130 3030 3030 3030 3020 3638 3137 3634  A00000000.681764
	0x0030:  3538 3520 320a 00                        585.2..
11:06:02.748965 IP (tos 0x0, ttl 116, id 12425, offset 0, flags [none], proto UDP (17), length 77)
    89.231.185.178.13193 > 74.91.112.223.27015: UDP, payload 49
	0x0000:  4500 004d 3089 0000 7411 4743 59e7 b9b2  E..M0...t.GCY...
	0x0010:  4a5b 70df 3389 6987 0039 6f4d ffff ffff  J[p.3.i..9oM....
	0x0020:  7263 6f6e 2036 3831 3736 3435 3835 2022  rcon.681764585."
	0x0030:  3234 3032 3230 3030 2220 6563 686f 2058  24022000".echo.X
	0x0040:  4272 7574 6520 6279 205a 6561 4c         Brute.by.ZeaL
11:06:02.749985 IP (tos 0x0, ttl 128, id 553, offset 0, flags [none], proto UDP (17), length 148)
    74.91.112.223.27015 > 174.121.10.253.27600: UDP, payload 120
	0x0000:  4500 0094 0229 0000 8011 c37f 4a5b 70df  E....)......J[p.
	0x0010:  ae79 0afd 6987 6bd0 0080 7542 ffff ffff  .y..i.k...uB....
	0x0020:  6c6f 6720 4c20 3036 2f32 392f 3230 3133  log.L.06/29/2013
	0x0030:  202d 2031 303a 3035 3a35 323a 2042 6164  .-.10:05:52:.Bad
	0x0040:  2052 636f 6e3a 2022 7263 6f6e 2036 3831  .Rcon:."rcon.681
	0x0050:  3736                                     76
11:06:02.750205 IP (tos 0x0, ttl 128, id 554, offset 0, flags [none], proto UDP (17), length 54)
    74.91.112.223.27015 > 89.231.185.178.13193: UDP, payload 26
	0x0000:  4500 0036 022a 0000 8011 69b9 4a5b 70df  E..6.*....i.J[p.
	0x0010:  59e7 b9b2 6987 3389 0022 cf07 ffff ffff  Y...i.3.."......
	0x0020:  6c42 6164 2072 636f 6e5f 7061 7373 776f  lBad.rcon_passwo
	0x0030:  7264 2e0a 0000                           rd....

12 packets captured
14 packets received by filter
0 packets dropped by kernel
Top
User avatar
Edge100x
Founder
Founder
Posts: 13120
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:
Contact Edge100x

Re: Need help with firewall.

Post by Edge100x »

That looks like a 3rd party attempting to brute-force your rcon password. To block it, you could use the Firewall page to block the IP address (93.118.199.195), or block the IP through the game server, or block rcon entirely (by using string matching and checking for hex bytes ffff ffff 7263 6f6e between 28 and 35). But, this sort of activity should not harm your server as long as you have a secure, complicated rcon password.
Top
paperb0y
New to forums
New to forums
Posts: 5
Joined: Fri Aug 26, 2011 5:09 am

Re: Need help with firewall.

Post by paperb0y »

Ok, thanks.
Top
Post Reply

Return to “Dedicated servers and Virtual Dedicated Servers”