how to Block a site in a Firewall or Router by Protocol wise & host wise.

shahid khan · 06-24-2009, 05:01 AM

Hi,

I would like to know the blocking methode In a Firewall or a Router.

whether i will be done by Protocol wise, ho ?
or it will done through Host wise, How ?

Can some one help

Regards,

Shahid Khan

tronayne · 06-24-2009, 07:20 AM

If you have a router that is capable of blocking individual addresses (your router's manual should tell you that), then, sure... my routers do not have that capability, however, so I do it a different way.

If you look at your logs, possibly /var/log/messages, you may see entries like these:

Code:

Jun 23 11:25:32 fubar sshd[3937]: Failed password for root from 174.129.94.87 po
rt 47665 ssh2
Jun 23 11:25:33 fubar sshd[3939]: Failed password for root from 174.129.94.87 po
rt 47721 ssh2
Jun 23 11:25:33 fubar sshd[3941]: Invalid user sami from 174.129.94.87
Jun 23 11:25:33 fubar sshd[3941]: Failed password for invalid user sami from 174
.129.94.87 port 47797 ssh2
Jun 23 11:25:34 fubar sshd[3943]: Failed password for root from 174.129.94.87 po
rt 47855 ssh2
Jun 23 11:25:35 fubar sshd[3945]: Failed password for root from 174.129.94.87 po
rt 47922 ssh2
Jun 23 11:25:35 fubar sshd[3947]: Invalid user oracle from 174.129.94.87
Jun 23 11:25:35 fubar sshd[3947]: Failed password for invalid user oracle from 1
74.129.94.87 port 47978 ssh2
Jun 23 11:25:36 fubar sshd[3949]: Failed password for root from 174.129.94.87 po
rt 48036 ssh2

The above are some of the 39 actual log entries showing some bastard trying to break into my systems. I run a utility, DenyHosts, http://denyhosts.sourceforge.net, that looks for these kinds of things and makes entries in /etc/hosts.deny; e.g.,

Code:

# DenyHosts: Tue Jun 23 11:25:55 2009 | sshd: 174.129.94.87
sshd: 174.129.94.87

Once that entry is in /etc/hosts.deny, /var/log/messages will show

Code:

Jun 23 11:25:56 fubar sshd[4010]: refused connect from 174.129.94.87 (174.129.94.87)

and that's the end of that -- no more access.

There's another way too: use iptables:

Code:

#Block cn.zone
iptables -A INPUT -s 58.14.0.0/15 -j DROP
iptables -A INPUT -s 58.16.0.0/16 -j DROP
iptables -A INPUT -s 58.17.0.0/17 -j DROP
iptables -A INPUT -s 58.17.128.0/17 -j DROP
iptables -A INPUT -s 58.18.0.0/16 -j DROP
iptables -A INPUT -s 58.19.0.0/16 -j DROP
iptables -A INPUT -s 58.20.0.0/16 -j DROP
iptables -A INPUT -s 58.21.0.0/16 -j DROP
iptables -A INPUT -s 58.22.0.0/15 -j DROP

These sample entries block domains in China (there are over 1,500); I do country blocks for the worst ones (China and Korea). These entries block an entire range of addresses. If you want to do this, you can go to http://www.countryipblocks.net and download entries for whatever countries you want to block.

/etc/hosts.deny (see man 5 hosts_access) is a relatively simple, effective way of keeping the bad actors out of your system. iptables, too, is relatively simple and effective. If you install DenyHosts, you can semi-automagically take care of much of the problem without having to actually do anything except review your logs periodically (which you should be doing in any case).

Hope this helps some.

tekhead2 · 06-26-2009, 04:13 PM

In addition to blocking hosts at your router you can also use Open DNS to block some issues with Confliker as well as filtering web access to some extent.

I swear by Open DNS. Here are the IP addresses for the Open DNS server

208.67.220.220 primary
208.67.222.222 secondary

You can also do stats on your lookups too.

www.opendns.com