I currently use Win 2003 firewall without much problem on game servers however I now have a person that is being a pest spamming RCON requests trying to hack into RCON on a game server.

This has been going on off and on for almost a week.

I need to be able to quickly block an IP from sending UDP/TCP requests. This is not available in Windows firewall.

Can someone please give me a quick solution or suggestion ?

It would be very much appreciated...

Not like this is a solution, but which game are they trying to rcon brute force? I know some Quake3 engine games will automatically disable the rcon if someone is spamming rcon requests, but there are some patches to turn that behavior off.

If you wanted to block a specific IP address you'll either want to get a secondary firewall (yuck) or use something like Windows IPSec, which is built in.

Hopefully these links will help (some might not directly show you what to do, but you should be able to infer what the next steps would be):
http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
http://www.windowsitpro.com/Articles/Artic...25935.html?Ad=1
http://www.infosec.csusb.edu/info/practices/ipsec-filtering/

Look around on google for ipsec ip blocking. That should give you some good leads.

Thanks handlebar After doing some reading on one of those links I was able to apply an IPSec policy that blocked them. I did a test by adding on of my other server IPs and it can't even ping it.

Thanks again for your help

You're welcome. If you are really adventurous and feel like locking things down more, you could completely replace the Windows firewall with an IPSec firewall. It isn't as forgiving as the Windows firewall, but will lock things up tight.

I don't know if others are reading this thread, but can you explain what steps you went through to block the ip?

As handlebar stated, read up on IPSEC and dump the Windows Firewall.
IPSEC will get you greater security and more control over your machine.
Make sure you save a working policy first so if you manage to lock yourself out, ThePlanet can restore to that IPSEC setting from the console.

I used instructions from this link as below: http://www.windowsitpro.com/Articles/Artic...25935.html?Ad=1

On a Win2K system, you can create multiple IPSec policies, but you can assign (i.e., activate) only one of them. IPSec policies consist of one or more rules. Each rule has a packet filter and a specified action that Win2K will execute on any packets that meet the associated filter criteria. You can specify the actions negotiate IP security, permit, or block. Let's create one IPSec policy that consists of one block rule and one permit rule. The block rule will block all packets by default. Then, we'll add a permit rule that will allow packets for the port and source IP address combinations I described earlier.

Open Local Security Settings on your server, maneuver to IP Security Policies on Local Machine, right-click the details pane, and select Create IP Security Policy. Click Next on the wizard's first page, enter Packet Filters as the policy's name, and click Next. Clear the Activate the default response rule check box, then click Next, Finish. Now you have an empty policy, as Figure 1, page 2, shows. Next, create the block rule. To start the Create Security Rule Wizard, click Add on the Rules tab, then click Next on the first three pages. On the fourth page, the wizard asks you to select an authentication method for this rule. Although permit and block rule actions don't use any authentication, Win2K still requires that you configure an authentication method. If your server is in a domain, you can leave Kerberos selected; otherwise, select Use this string to protect the key exchange (preshared key) and enter any text you want as the key. Click Next, and the wizard asks you for an IP filter list. This is the default rule; select All IP Traffic and click Next. The wizard asks for your filter action. Out of the box, Win2K has three actions—Permit, Request Security, and Require Security—but no block action, so click Add to start the Filter Action Wizard, then click Next on the first page. Enter Block for the action's name and click Next. Select Block for the filter action behavior, then click Next, Finish. On the Create Security Rule wizard, select Block, then click Next, Finish. Your policy now contains one rule that blocks all IP traffic.
****************

*BUT* before I did the above I created a new rule I called "Block Bad IP List" This is where I put in the three bad IPs. In the step above where it says to select "Block all IP Traffic" which was a default rule I selected my new "Block Bad IP List" rule I had created with the 3 bad IPs. Of course I wouldnt want to block all IP Traffic which was used in the example instructions from that page.

Works great for me. That's all I need for now.

The above works fine however this guy continues to be a pest

He's been a problem for a several days and is a general annoyance.

What he does now is daily change his IP address so my last firewall block no longer applies.

His IP address starts with: 58.173.

It seems he is able to change the last two sets of numbers off and on. So he is a pain to my customer until I get a report he's at it again, grab his new IP address and add it to the block.

There's no way I can see to block 58.173.*.* IP range in IPsec.

If anyone has any suggestions using IPsec to do that it would be much appreciated.

thank you

You should be able to take out his whole subnet in IPsec no problem, just remember your taking out anyone else from that ISP as well.

Yeah, I went ahead and banned his whole subnet. I don't think I will have many people that are customers from AU anyway

I banned like 10 IP addresses from this guy before that..