LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Block off China and Russia? (http://www.linuxquestions.org/questions/slackware-14/block-off-china-and-russia-4175464713/)

kikinovak 06-04-2013 03:11 PM

Block off China and Russia?
 
First of all, my apologies to all the chinese and russian Slackware users in this forum. But here goes.

I'm running a few dedicated servers for clients, with a handful of specialized services like library management or school management. It's all more or less running on LAMP servers and supposed to be accessed around here, meaning in South France.

I have many hostile connections on these machines, mostly brute force attempts, which I keep out with a couple of iptables rules limiting the number of connections per minute. Only I'm facing a real tsunami here, and I thought about a more radical solution.

Is there a way to block whole countries using iptables? I've tracerouted some folks back, and they seem to originate mostly from China and Russia, with the odd Nigerian IP.

Any suggestions?

ttk 06-04-2013 03:39 PM

I do something similar with some of my servers, using the "reject" function of the "route" utility.

For instance:
route add -net 46.29.250.0 netmask 255.255.255.0 reject

The real way to do this is with a firewall rule, but "route" has been good enough that I haven't bothered. Maybe someone else will show us how to do that, to both our benefits.

ttk 06-04-2013 03:46 PM

To see the address range(s) of the offending networks, run "whois" on the dotted IP address. For instance, "whois 46.29.250.191" shows that the address originates from a network owned by someone in Tallinn, Estonia, and has a range of 46.29.250.0 - 46.29.251.255.

The example command I gave in my previous post blocked the lower half of that range.

kikinovak 06-04-2013 03:55 PM

I guess my main question would be: where would I get IP ranges from "problematic" countries?

ttk 06-04-2013 04:08 PM

Well, I just googled internet address ranges by country and several promising sites popped up, like:

http://www.nirsoft.net/countryip/

Also, if you unzip http://mixoftech.com/downloads/windo...all_script.zip you will find a file named windows_firewall_script/BlockList.txt which purports to contain all of the address ranges for China, Russia, and Iran. It's a start.

Habitual 06-04-2013 04:47 PM

I use cloudflare services in front of my domain.
It has a county block mechanism in their/my control panel.

1 click and China is gone.
1 Click and India is gone.

I don't know if your hosts have A records but I'm pretty sure that's required since it involves changing your NSs at the Registrar.

jefro 06-04-2013 10:19 PM

Any way to just allow your known users instead of trying to block ranges?

H_TeXMeX_H 06-05-2013 05:09 AM

Quote:

Originally Posted by jefro (Post 4965554)
Any way to just allow your known users instead of trying to block ranges?

I would agree that a whitelist is a better idea. Even if hack attempts seem to be coming from these countries, that doesn't mean that's where the hackers/crackers are.

Nikosis 06-05-2013 05:09 AM

Quote:

Originally Posted by kikinovak (Post 4965385)
I guess my main question would be: where would I get IP ranges from "problematic" countries?

Check here

tronayne 06-05-2013 07:37 AM

I've done it using lists such as given by @nikosis (in my case, http://www.countryipblocks.net/), using a little AWK program to format them into IPTABLES directives. Works wonderfully.

When I start to see crap coming from somewhere that would have zero interest in my servers, I simply block the entire country and be done with it. That might be harsh, but anyplace that encourages (or sponsors!) these sorts of activities I have no reason to allow them on the property as it were.

Don't forget Korea (both of them) and, possibly, Brazil (seen a lot of activity from them).

You may want to check Internet Storm Center https://isc.sans.edu/ for other candidates -- China seems to be the largest offender but, alas, there are (too many) others...

Hope this helps some.

wildwizard 06-05-2013 08:41 AM

Quote:

Originally Posted by tronayne (Post 4965786)
You may want to check Internet Storm Center https://isc.sans.edu/ for other candidates -- China seems to be the largest offender but, alas, there are (too many) others...

Hope this helps some.

You should include the US and Russia there.

Darth Vader 06-05-2013 09:22 AM

Quote:

Originally Posted by kikinovak (Post 4965354)
First of all, my apologies to all the chinese and russian Slackware users in this forum. But here goes.

I'm running a few dedicated servers for clients, with a handful of specialized services like library management or school management. It's all more or less running on LAMP servers and supposed to be accessed around here, meaning in South France.

I have many hostile connections on these machines, mostly brute force attempts, which I keep out with a couple of iptables rules limiting the number of connections per minute. Only I'm facing a real tsunami here, and I thought about a more radical solution.

Is there a way to block of whole countries using iptables? I've tracerouted some folks back, and they seem to originate mostly from China and Russia, with the odd Nigerian IP.

Any suggestions?

I believe that shutting down whole countries is a frakking bad practice, because you have also shutdown a very huge number of (posible) friendly users.

And, always you have a very elegant solution to close the gates, using ssh keys autentification and shutting down completely the ssh login access.

Also, there are methods of automatically blocking (also punctually) the users which attempts brute force attacks.

Take care and ... consider that blocking whole countries is considered a (very) xenophobic thing in the world of servers administration. :)

H_TeXMeX_H 06-05-2013 10:38 AM

Quote:

Originally Posted by Darth Vader (Post 4965846)
Take care and ... consider that blocking whole countries is considered a (very) xenophobic thing in the world of servers administration. :)

I agree. I know many people blame China and Russia, but there is no proof that these hack attempts actually come from these countries. They can be routed through servers there and appear to be coming from there.

There are better, nicer, more elegant solutions. But, I guess nobody can be bothered.

If only people you know should be accessing your servers, then whitelist only them and block everyone else. If everyone else should be accessing your servers then use smart methods to detect attacks and block them automatically. I am very much against IP range banning. I have been the victim of this many times and in many places.

Citramonum 06-05-2013 12:26 PM

I'm from Russia and I'm going to block France (both South and North) on my home router.

rokytnji 06-05-2013 12:34 PM

Edited for being off topic.


All times are GMT -5. The time now is 07:34 PM.