Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Yes it makes sense if you don't regularly do business with those countries.
A couple caveats:
Some folks from those countries may be attacking you from other compromised systems outside their own country so the blocks won't stop everything but will stop quite a bit. (Despite others that will post here telling you it is a wasted effort.)
Some things you might want to receive might get inadvertently blocked. For example we found that Samsung USA although based here in the U.S. was sending email via its South Korean based mail servers. Blocking all of South Korea therefore blocked Samsung USA as well. Of course you could determine specific IPs and make them exceptions to your general rule.
i do understand the ramifications from a full cidr block. i am absolutely confident that blocking all the china inetnum's will be good and we won't be missing any legitimate data that we'll need.
thanks for the help, this is some absolutely helpful info!
There is a tutorial here. That said, it doesn't feel like the best tutorial (or idea) ever.
Why do I say it doesn't feel like the best idea ever? Well, you have to think about efficiency, and that can be done better with ipset, see tut here. (Alternatively, this.)
Then there is the issue of maintainability. this is somewhat dealt with in the first reference, but you'll have something only marginally comprehensible going on (and I haven't spent any time working out what happens if the download of new ip list fails, but you'd want to think about that).
Quote:
Originally Posted by socalheel
i have this one web server that is constantly getting attacked from ip locations from china, vietnam, russia, india, taiwan, etc.
It is said that the largest source of inet attacks by absolute number is from the US. It may be quite a different situation by percentage, but the US will have the largest number of internet enabled potential attackers.
Depending on where you are, and what kind of attack we are talking about, you might be better off considering whitelisting rather than blacklisting.
IF this is something like ssh that is under attack, then there are several things that you ought to do. Read this first.
Most people find that just changing the port dramatically reduces the number of ssh attacks - this seems to be because the majority of the attacks are simple scripted jobs (the alternative understanding of this is that you've filtered out the incompetent ones and the ones that are left are just the competent ones, which doesn't sound like quite as good a bargain). My feeling is that relying on a changed port number alone isn't that secure, but in combination with something else (see the samhain article)...
Quote:
Originally Posted by socalheel
i have this one web server that is constantly getting attacked from ip locations from china, vietnam, russia, india, taiwan, etc.
The inference that I draw from this is that you have other servers which don't get attacked. Is that right, and is there any reason (for example, different capabilities, etc)?
Quote:
Originally Posted by socalheel
if that is not the feasible approach, does anyone have any ideas on what's the best course of action to take to keep this guys at bay?
Well, feasible, yes. But maybe not the best, depending.
The inference that I draw from this is that you have other servers which don't get attacked. Is that right, and is there any reason (for example, different capabilities, etc)?
excellent question and you are correct. while i'm not trying to identify specific applications and/or vulnerabilities, this particular server primarily runs a popular website building application and most admins of these websites do not install the updates to address vulnerabilities, and these outdated plugins/apps are being exploited constantly.
i've installed OSSEC server and agent and i blocked a few chinese inetnums and this has already made a HUGE difference. still a ways to go, but it's a start.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
