LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

View Poll Results: Should I block entire countries
Yes best solution 1 33.33%
Yes 0 0%
No 0 0%
No look for another solution 2 66.67%
Multiple Choice Poll. Voters: 3. You may not vote on this poll

Reply
 
Search this Thread
Old 10-05-2007, 03:35 PM   #1
payjoe
LQ Newbie
 
Registered: Apr 2007
Posts: 13

Rep: Reputation: 0
How to block countries from server?


I using OS: CentOS Linux 4.4
CP+ : ver. 3.4 and use freelancers for technical projects, this means
I,m giving some 2 much access to my server.

The result being, I have just had work completed by a programmer I trust
and he tells, that some of the errors on my website are caused due to changes
made to my cgi-bin, by someone.

Does anyone know how to block entire countries from my server and website,
as work carried out by some freelancers who I suspect come from pakistan and india.

My solution is a brush stroke, to ensure I get it right.

Any help, would be a god send

Thanks in advance
 
Old 10-05-2007, 04:36 PM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Seriously, what? How about you don't give logins to people you don't trust?

Blocking regional IPs is a non-starter anyway - there's plenty of free shell account providers all over the place to proxy through.

Dave
 
Old 10-06-2007, 06:58 AM   #3
payjoe
LQ Newbie
 
Registered: Apr 2007
Posts: 13

Original Poster
Rep: Reputation: 0
so what's the solution?
 
Old 10-06-2007, 11:09 AM   #4
mlnutt
Member
 
Registered: May 2006
Posts: 34

Rep: Reputation: 15
You can block out countries with the GeoIP extension for netfilter/iptables. I haven't used this as it requires patching the kernel.

I wrote a program to search either the webnet77 or geoip csv list of allocated ips by various criteria (such as country code) and generate iptables configuration file lines or an iptables script to add rules.

Example to generate rules to exclude Pakistan:

ipfind -c PK -IPK

outputs:

#!/bin/bash

iptables -N PK_CHAIN
iptables -N PK_DROP

iptables -A PK_CHAIN -s 58.27.128.0/17 -j PK_DROP
iptables -A PK_CHAIN -s 58.65.128.0/18 -j PK_DROP
iptables -A PK_CHAIN -s 58.65.192.0/19 -j PK_DROP
...
iptables -A PK_CHAIN -s 217.74.231.0/24 -j PK_DROP
iptables -A PK_CHAIN -s 221.120.192.0/18 -j PK_DROP
iptables -A PK_CHAIN -s 221.132.112.0/21 -j PK_DROP

iptables -A PK_CHAIN -j ACCEPT

iptables -A PK_DROP -j LOG --log-prefix "PK_CHAIN: " --log-level 3 --log-tcp-options --log-ip-options
iptables -A PK_DROP -j DROP

iptables -A INPUT -p tcp -m state --state NEW -j PK_CHAIN
 
Old 10-06-2007, 11:11 AM   #5
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Don't give logins to people you don't trust. If you give someone a login with access to sensitive stuff and they want to do something nasty, you're screwed.
Blocking by IP-block is a five minute job to get around, so while it may provide a level of nuisance to those who would do you harm, it's not going to keep them out for long.

You could log their shell histories, by 'chattr +a ~/.bash_history' etc for all the shells you have on system. That way all commands are logged, but the users can't remove lines. Wouldn't stop them messing with the system, but at least you'd know who'd done it.
Even that's not a reliable method though, as a user could scp a new shell onto the system which doesn't log.

Dave
 
Old 10-06-2007, 12:32 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by mlnutt View Post
I wrote a program to search either the webnet77 or geoip csv list of allocated ips by various criteria (such as country code) and generate iptables configuration file lines or an iptables script to add rules.
Can you share it with us?
 
Old 10-06-2007, 05:33 PM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by payjoe
Does anyone know how to block entire countries from my server and website,
as work carried out by some freelancers who I suspect come from pakistan and india.
How about when a contractor is finished with his work, you disable his account. Crazy, I know.
 
Old 10-06-2007, 05:43 PM   #8
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 115Reputation: 115
I routinely block countries from my websites, though I am a bit selective about the portions of the site I block them from. Proscribed countries can't access message boards, for instance. It actually has been very successful as one technique for stopping spam. I have completely stopped spam on my message boards by a combination of country blocking and some custom things I have done (which I won't describe).

I use the ip2nation database to match IP ranges with countries.

WRT shell access to my servers, I am with everyone else. Get rid of shell accounts for people who are no longer allowed access to the server. Keep an eye on anyone who is allowed to access the server to make sure they aren't doing bad things.
 
Old 10-06-2007, 05:49 PM   #9
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 115Reputation: 115
Right after I made my last post, I clicked on a referer link in my website logs to see where it took me. Took me right to a directory structure; the site that was in the referer was misconfigured so that I could get direct access to its cgi scripts.

Now isn't that interesting.

OP might want to look at how his server is organized and make sure this capability is blocked.
 
Old 10-07-2007, 10:34 AM   #10
mlnutt
Member
 
Registered: May 2006
Posts: 34

Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
Can you share it with us?
Yes I am willing to share it. Unfortunately I am not allowed to post attachments on this list.

On a related issue: I have also added some functionality to Karl Hammar's "ipnumber.c" if anybody is interested in that; I've added two switches: one to print the cidr(s) given a dotted quad range and a switch to do the converse (calculate all the ranges for a cidr).

The prior program is working though I am going to add some more functionality to it. Here is the program's syntax. Where might I upload/send it for distribution?

USAGE: ipfind (-r REGISTRY... | -c CODE... | -C CODE...) [-m | -M] [-i] [-I[CHAIN_NAME]] [-pCHAIN_NAME ] [-nCHAIN_NAME] [-aACTION]] [-f DOTTED_QUAD...] [-v]
-c, --ctry filter using 2 character country codes
-C, --cntry filter using 3 character country codes (webnet77)
-r, --registry filter using registry name
-m, --cidr print cidr instead of netmask (default)
-M, --netmask print netmask instead of cidr
-i, --iptables output iptables startup file format
-I, --iptables_cmd output iptables configuration script using CHAIN_NAME prefix
-p, --prior iptables configuration script prior chain name (default "INPUT")
-n, --next iptables configuration script next chain name (default "ACCEPT")
-a, --action iptables configuration script action (default "DROP")
-L, --nolog iptables configuration script no logging
-f, --find find IP's range block
--maxmind use the maxmind csv file (default)
--webnet77 use the webnet77 csv file
-v, --verbose display verbose output
 
Old 10-10-2007, 10:04 AM   #11
payjoe
LQ Newbie
 
Registered: Apr 2007
Posts: 13

Original Poster
Rep: Reputation: 0
Thanks for the input

Some of the replys a bit over my head, I have found that database table have been re-routed, however no major harm done.

I have change the root user details and removed all.
It's the best I can do at the moment with my little knowledge, thanks again
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Block URL request in server spiffytech Linux - Security 2 02-08-2006 09:16 PM
Linux over 7% in server world in the Asia and Pacific countries Lleb_KCir General 0 09-27-2005 11:44 AM
How do I block referrers that are linking to my server? needforspeed Linux - Software 1 07-05-2005 08:01 PM
get Squidguard to block entire countries web sites? Possible? Pcghost Linux - Software 3 09-19-2004 02:25 PM
block msn into the debian server eduac Linux - Software 1 07-17-2003 10:53 AM


All times are GMT -5. The time now is 02:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration