LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-24-2010, 03:11 PM   #1
rahilmaknojia
Member
 
Registered: Dec 2007
Distribution: RHEL6, CentOS6.3
Posts: 188

Rep: Reputation: 32
Question How to block IP range of China Russia and other countries.


My server was attacked by china, russia, and from other countries via ssh. I use ssh from other part of the network like internet to access my home server. I just want to know how to add ip range of other country in hosts.deny file.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 06-24-2010, 03:49 PM   #2
mpapet
Member
 
Registered: Nov 2003
Location: Los Angeles
Distribution: debian
Posts: 453

Rep: Reputation: 46
Think Again.

Does "attack" mean successfully logged into your server? Or, does it mean script kiddies banging away at ssh with a dictionary attack and never getting in. If it's the latter, it never ends.

If you really want to block IP's then the firewall is the better place to implement this. Iptables has everything you need.

Maybe you should consider switching to PKI authentication for ssh? 'Easier' solutions are changing the port ssh listens on and using strong passwords.
 
1 members found this post helpful.
Old 06-24-2010, 04:13 PM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by mpapet View Post
Does "attack" mean successfully logged into your server? Or, does it mean script kiddies banging away at ssh with a dictionary attack and never getting in. If it's the latter, it never ends.

If you really want to block IP's then the firewall is the better place to implement this. Iptables has everything you need.

Maybe you should consider switching to PKI authentication for ssh? 'Easier' solutions are changing the port ssh listens on and using strong passwords.
The OP should elaborate but it seems like he's hinting at brute force attempts, which is NOT scanning, no matter how automated it is and no matter if its script-kiddie-ish. They key words you used were "dictionary attack".

Scanning is one thing. Attacking is another. We all interpret things differently, but those bruteforce attempts are actual login attempts (and nothing like nmap scanning [not saying that that's condoned, either])...

He can block this via the sshd config file, use denyhosts or any other host-level autoblocking tool, or even use a local (or network) firewall. All of this and more is covered in the "SSH" sticky thread at the top of the security forums.

Last edited by unixfool; 06-24-2010 at 05:59 PM.
 
2 members found this post helpful.
Old 06-24-2010, 05:14 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by rahilmaknojia View Post
My server was attacked by china, russia, and from other countries via ssh. I use ssh from other part of the network like internet to access my home server. I just want to know how to add ip range of other country in hosts.deny file.
Also, if you're willing to consider using iptables instead, I posted one possible approach here. If you still want to use hosts.deny, tweaking my instructions should be a snap. Personally, I'd stick to iptables, as it ensures that your SSH daemon never sees any packets from those IPs at all.
 
1 members found this post helpful.
Old 06-24-2010, 08:06 PM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
This page may be of interest to the OP and contains a list of IP ranges for the regions with the highest level of malicious traffic. http://www.countryipblocks.net/

Personally, I think that blocking such ranges in an attempt to gain security is a futile effort at best. While you may cut down on some of the noise traffic, the only thing you will accomplish is to guarantee is that whoever gains access to your system either originates from or proxies through a different region.

You efforts would be MUCH better spent securing your system against ALL attacks. The previous posts in this thread have already given you the tools on how to do this.
 
1 members found this post helpful.
Old 06-24-2010, 08:33 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Noway2 View Post
You efforts would be MUCH better spent securing your system against ALL attacks.
Excellent point. Of course, blocking IP ranges which you know you'll never be accessing from (and from which you're seeing attacks) is still a good idea, and shouldn't be discarded (whether it's part of a broader approach or not). Hopefully when the OP replies we'll get a feel for how much effort he is willing to dedicate into hardening his SSH daemon. I'm also looking forward to his responses to the requests for clarification he received here, as this could possibly be a compromised machine we're dealing with, which would change everything.

Last edited by win32sux; 06-24-2010 at 08:50 PM.
 
1 members found this post helpful.
Old 06-25-2010, 08:13 AM   #7
rahilmaknojia
Member
 
Registered: Dec 2007
Distribution: RHEL6, CentOS6.3
Posts: 188

Original Poster
Rep: Reputation: 32
Quote:
Originally Posted by unixfool View Post
The OP should elaborate but it seems like he's hinting at brute force attempts, which is NOT scanning, no matter how automated it is and no matter if its script-kiddie-ish. They key words you used were "dictionary attack".

Scanning is one thing. Attacking is another. We all interpret things differently, but those bruteforce attempts are actual login attempts (and nothing like nmap scanning [not saying that that's condoned, either])...

He can block this via the sshd config file, use denyhosts or any other host-level autoblocking tool, or even use a local (or network) firewall. All of this and more is covered in the "SSH" sticky thread at the top of the security forums.
Unixfool, I am also using denyhosts to block login attempt more then 3 time. But I didn't block ssh in denyhosts file because it blocks all the ip addresses. I don't want to block ip address from where I work. Last time it my server at home blocked ip address of my company where I work, and I wasn't able to get in until I stop denyhost service and remove that ip address from hosts.deny file.

Guys, I also configured iptable as it was shown on this discussion and let see how it works. One more question how to check if iptables drops the packet to responed incoming attack?
 
1 members found this post helpful.
Old 06-25-2010, 08:38 AM   #8
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by rahilmaknojia View Post
Last time it my server at home blocked ip address of my company where I work, and I wasn't able to get in until I stop denyhost service and remove that ip address from hosts.deny file.
There is a whitelist option that you can use to prevent this.

Quote:
Originally Posted by rahilmaknojia View Post
Guys, I also configured iptable as it was shown on this discussion and let see how it works. One more question how to check if iptables drops the packet to responed incoming attack?
I haven't seen the iptables config (yet) but you can configure the firewall to log THEN drop. It should record the logs in your syslog (or where ever you're telling it to log).

Last edited by unixfool; 06-25-2010 at 09:09 AM.
 
1 members found this post helpful.
Old 06-25-2010, 09:08 AM   #9
rahilmaknojia
Member
 
Registered: Dec 2007
Distribution: RHEL6, CentOS6.3
Posts: 188

Original Poster
Rep: Reputation: 32
Quote:
Originally Posted by unixfool View Post
There is a whitelist option that you can use to prevent this.
What is white list?
 
Old 06-25-2010, 09:19 AM   #10
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
It is a listing of IPs that should not be blocked by denyhosts.
 
Old 06-25-2010, 09:28 AM   #11
rahilmaknojia
Member
 
Registered: Dec 2007
Distribution: RHEL6, CentOS6.3
Posts: 188

Original Poster
Rep: Reputation: 32
Quote:
Originally Posted by unixfool View Post
It is a listing of IPs that should not be blocked by denyhosts.
Okay, and how do I set that up?
 
Old 06-25-2010, 10:53 AM   #12
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by rahilmaknojia View Post
Okay, and how do I set that up?
http://denyhosts.sourceforge.net/faq.html#3_7
 
Old 06-25-2010, 12:51 PM   #13
rahilmaknojia
Member
 
Registered: Dec 2007
Distribution: RHEL6, CentOS6.3
Posts: 188

Original Poster
Rep: Reputation: 32
Quote:
Originally Posted by unixfool View Post
Okay, I created file in /use/share/denyhosts/data/allowed.hosts and I added some ip addresses to allow. But I want to know if I have to do anything else in denyhosts configuration file?

Last edited by rahilmaknojia; 06-25-2010 at 12:55 PM.
 
1 members found this post helpful.
Old 07-29-2010, 09:46 AM   #14
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by rahilmaknojia View Post
Okay, I created file in /use/share/denyhosts/data/allowed.hosts and I added some ip addresses to allow. But I want to know if I have to do anything else in denyhosts configuration file?
Just seeing this now.

I suggest reading the whole FAQ, then maybe googling denyhosts to determine how others are using it and how others are configuring it....visiting the denyhosts webpage should be enough, though.
 
Old 08-03-2010, 03:39 AM   #15
wertum
Member
 
Registered: Jul 2010
Location: usa
Distribution: ubuntu
Posts: 39

Rep: Reputation: 16
Quote:
Originally Posted by rahilmaknojia View Post
My server was attacked by china, russia, and from other countries via ssh. I use ssh from other part of the network like internet to access my home server. I just want to know how to add ip range of other country in hosts.deny file.
FULL ANSWER :
linux .opennet .ru /tips /info/ 1969.shtml

GO TO TRANSLATE.GOOGLE.COM
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: MySQL founder asks China, Russia to stop Oracle LXer Syndicated Linux News 0 01-19-2010 12:10 AM
How to block countries from server? payjoe Linux - Security 10 10-10-2007 10:04 AM
LXer: Human Rights OSS Provides Uncensored Internet to Countries like China LXer Syndicated Linux News 0 12-01-2006 11:33 PM
script to block IPs from Korea, China, Taiwan?? latino Linux - Security 4 09-05-2005 09:57 PM
get Squidguard to block entire countries web sites? Possible? Pcghost Linux - Software 3 09-19-2004 02:25 PM


All times are GMT -5. The time now is 05:25 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration