The challange is to block all scanalert.com scans as they are apparently used by hackers to probe our servers.
Okay, so for the past two months we have collected all the scanalert IPs that we can and we have inserted these in an world accessible (via URL) list, and then inserted the URL in the GLOBAL_DENY = slot with an LF_GLOBAL = value of 1800
At first this seemed to work fine, but for the past week or so, I am getting several of these kinds of notices per day that involve IPs that should be blocked, i.e. that are in the GLOBAL_DENY list:
-----------------------
Time: Mon Oct 29 15:37:13 2007
IP: 216.35.7.105 (sc4-scan37.scanalert.com)
Failures: 12 (webmail)
Interval: 45 seconds
Blocked: Yes
Log entries:
216.35.7.105 - 0 [10/29/2007:20:37:01 -0000] "POST /login/ HTTP/1.1" webmaild: user name not specified or invalid user
216.35.7.105 - >"><script>alert(123)<script><" [10/29/2007:20:37:02 -0000] "POST /login/ HTTP/1.1" webmaild: user password hash is missing from system (user probably does not exist)
216.35.7.105 - 0 [10/29/2007:20:37:02 -0000] "POST /login/ HTTP/1.1" webmaild: user name not specified or invalid user
216.35.7.105 - 0 [10/29/2007:20:37:03 -0000] "POST /login/ HTTP/1.1" webmaild: user name not specified or invalid user
...... etc. etc. etc
-----------------------
Could there be something wrong with our IPTables?
Thanks very much for any help here.