LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-14-2013, 02:05 AM   #1
compused
Member
 
Registered: Oct 2006
Location: Melbourne Australia
Distribution: centos and redhat 8
Posts: 76

Rep: Reputation: 15
automatically detecting and blocking an ip address range


HI
Fail2ban is showing eg
Thu Mar 14 16:55:18 EST 2013: 218.86.50.190 (3 failures)
Thu Mar 14 16:58:57 EST 2013: 204.12.228.50 (4 failures)
Thu Mar 14 17:00:27 EST 2013: 59.58.137.28 (3 failures)
Thu Mar 14 17:06:47 EST 2013: 218.86.50.106 (3 failures)
Thu Mar 14 17:15:41 EST 2013: 218.86.50.68 (3 failures)

So looking at the 218.86.50.x example, which reports as coming from China*, I really see no point in blocking just the one ip address as the hacker comes back with a different - I think the terminology is - 'host address' eg .106 instead of .190, well before the fail2ban 'bantime' expires

Is there anyway of automatically detecting and blocking an ip host-address range with fail2ban or some other way?

*I know you can't really presume thats where the problem is based
Thanks
Compused
 
Old 03-14-2013, 02:58 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
You can select an entire subnet: -s 218.86.50.0/24 in iptables
You can also use the iprange extension:
iptables -A INPUT -m iprange --src-range 74.125.229.164-74.125.229.174

For ssh logins, the /var/log/auth or /var/log/messages log are parsed. The log won't indicate a range. I think the best thing to do is to add iptable rules dropping blocks of IPs. Especially for ssh and email ports. Dropping blocks assigned to china at the firewall is common for domestic company email servers. You might want to check the ican registry to find how large a range of IPs you can block

Assigning a high order port for ssh will greatly reduce the number of bot and script kiddie brute force attempts.

Last edited by jschiwal; 03-14-2013 at 03:03 AM.
 
Old 03-14-2013, 04:12 AM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Blocking entire systems, especially in IPV4 space can be difficult because the IPV4 address space is allocated like a block of Swiss cheese. As jschiwal suggested you can try to block the whole IP range and sometimes a whois report will give you the range in question. For example, the IP you mentioned is in the allocated range 218.85.0.0 - 218.86.127.255. Unfortunately, this isn't the whole story as the provider has a lot more blocks to pick from. The next step is to get the AS, or autonomous system, number and from this you can get the list of IP addresses. This site can do that for you: http://asn.cymru.com/ Using your example, we can see that the IP is in AS4134. Now the next step is to find the IP addresses allocated to this system. An older post by unSpawn has a script to do this, and the website is still up, though the script may need to be tweaked a little bit. The script takes the page and hacks out the IP addresses and makes an IPTables filter from it. Here is a link to the info for that AS. From, this we can see that there are an absolute boat load of IP addresses in this network. However, here is an interesting tidbit. That particular IP range has this notation:
Code:
218.86.0.0/17        4777 2516 4134       - Withdrawn - aggregated with 218.86.128.0/17 (4777 2516 4134)
Which says that the original allocation 218.86.0.0 has been replaced with 218.86.128.0/17. If we look up the list a little higher we see this:
Code:
 218.84.0.0/14        4777 2516 4134       + Announce - aggregate of 218.84.0.0/15 (4777 2516 4134) and 218.86.0.0/15 (4777 2516 4134)
Which is a bigger aggregate block for this IP range of 218.84.0.0/14. Doing a CIDR mask mapping on this range shows that it runs from 218.84.0.0 to 218.87.255.255 which gives us less rules to put into IPTables. Of course there are a lot more for even this ISP.
 
Old 03-14-2013, 04:39 AM   #4
compused
Member
 
Registered: Oct 2006
Location: Melbourne Australia
Distribution: centos and redhat 8
Posts: 76

Original Poster
Rep: Reputation: 15
wow...being comprehensive creates complexity!

how about using ipset...as an IT non-professional, this is the simplest reference I can find:
http://www.linuxjournal.com/content/...urations-ipset

I did want to automate it
Compfused
 
Old 03-21-2013, 06:21 PM   #5
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Thanks compused. I had ipset in the back of my mind but didn't find it. The best tool probably depends on whether the OP can block a very large range, or needs to block scattered IP addresses in the range.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables: blocking IP range craveness Linux - Networking 9 01-23-2013 05:19 PM
Error!! str2addr:Address 35 outside range of address field length 1 !!! MounaRM Linux - Networking 1 05-12-2011 11:32 PM
Blocking an ip address range within iptables kaplan71 Linux - Security 4 03-31-2009 02:55 PM
Blocking IP range hohohann Linux - Newbie 9 01-16-2008 11:43 PM
Blocking IP Range basketkase999 Linux - Security 2 03-12-2005 12:23 PM


All times are GMT -5. The time now is 03:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration