Block off China and Russia?
First of all, my apologies to all the chinese and russian Slackware users in this forum. But here goes.
I'm running a few dedicated servers for clients, with a handful of specialized services like library management or school management. It's all more or less running on LAMP servers and supposed to be accessed around here, meaning in South France. I have many hostile connections on these machines, mostly brute force attempts, which I keep out with a couple of iptables rules limiting the number of connections per minute. Only I'm facing a real tsunami here, and I thought about a more radical solution. Is there a way to block whole countries using iptables? I've tracerouted some folks back, and they seem to originate mostly from China and Russia, with the odd Nigerian IP. Any suggestions? |
I do something similar with some of my servers, using the "reject" function of the "route" utility.
For instance: route add -net 46.29.250.0 netmask 255.255.255.0 reject The real way to do this is with a firewall rule, but "route" has been good enough that I haven't bothered. Maybe someone else will show us how to do that, to both our benefits. |
To see the address range(s) of the offending networks, run "whois" on the dotted IP address. For instance, "whois 46.29.250.191" shows that the address originates from a network owned by someone in Tallinn, Estonia, and has a range of 46.29.250.0 - 46.29.251.255.
The example command I gave in my previous post blocked the lower half of that range. |
I guess my main question would be: where would I get IP ranges from "problematic" countries?
|
Well, I just googled internet address ranges by country and several promising sites popped up, like:
http://www.nirsoft.net/countryip/ Also, if you unzip http://mixoftech.com/downloads/windo...all_script.zip you will find a file named windows_firewall_script/BlockList.txt which purports to contain all of the address ranges for China, Russia, and Iran. It's a start. |
I use cloudflare services in front of my domain.
It has a county block mechanism in their/my control panel. 1 click and China is gone. 1 Click and India is gone. I don't know if your hosts have A records but I'm pretty sure that's required since it involves changing your NSs at the Registrar. |
Any way to just allow your known users instead of trying to block ranges?
|
Quote:
|
Quote:
|
I've done it using lists such as given by @nikosis (in my case, http://www.countryipblocks.net/), using a little AWK program to format them into IPTABLES directives. Works wonderfully.
When I start to see crap coming from somewhere that would have zero interest in my servers, I simply block the entire country and be done with it. That might be harsh, but anyplace that encourages (or sponsors!) these sorts of activities I have no reason to allow them on the property as it were. Don't forget Korea (both of them) and, possibly, Brazil (seen a lot of activity from them). You may want to check Internet Storm Center https://isc.sans.edu/ for other candidates -- China seems to be the largest offender but, alas, there are (too many) others... Hope this helps some. |
Quote:
|
Quote:
And, always you have a very elegant solution to close the gates, using ssh keys autentification and shutting down completely the ssh login access. Also, there are methods of automatically blocking (also punctually) the users which attempts brute force attacks. Take care and ... consider that blocking whole countries is considered a (very) xenophobic thing in the world of servers administration. :) |
Quote:
There are better, nicer, more elegant solutions. But, I guess nobody can be bothered. If only people you know should be accessing your servers, then whitelist only them and block everyone else. If everyone else should be accessing your servers then use smart methods to detect attacks and block them automatically. I am very much against IP range banning. I have been the victim of this many times and in many places. |
I'm from Russia and I'm going to block France (both South and North) on my home router.
|
Edited for being off topic.
|
All times are GMT -5. The time now is 09:58 AM. |