Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-09-2014, 03:16 PM
|
#1
|
Member
Registered: Oct 2012
Location: Raleigh, NC
Distribution: CentOS / RHEL
Posts: 158
Rep:
|
inetnums by country?
this necessarily isn't a linux issue but i figure i would get some ideas and resolution tips from more seasoned guys.
i have this one web server that is constantly getting attacked from ip locations from china, vietnam, russia, india, taiwan, etc.
does anyone know if there is a location where i can find all the inetnums by country? i'd love to just block all those network ranges.
if that is not the feasible approach, does anyone have any ideas on what's the best course of action to take to keep this guys at bay?
thanks.
|
|
|
05-09-2014, 03:33 PM
|
#2
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
You can find that in many places such as:
http://www.nirsoft.net/countryip/
Yes it makes sense if you don't regularly do business with those countries.
A couple caveats:
Some folks from those countries may be attacking you from other compromised systems outside their own country so the blocks won't stop everything but will stop quite a bit. (Despite others that will post here telling you it is a wasted effort.)
Some things you might want to receive might get inadvertently blocked. For example we found that Samsung USA although based here in the U.S. was sending email via its South Korean based mail servers. Blocking all of South Korea therefore blocked Samsung USA as well. Of course you could determine specific IPs and make them exceptions to your general rule.
|
|
1 members found this post helpful.
|
05-09-2014, 03:33 PM
|
#3
|
Senior Member
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 4,258
|
Blocking whole countries is a little unsociable, but here you go:
http://www.ipdeny.com/ipblocks/
That said, I wish I could set up something like iptable on my phone to block all calls from Florida area codes.
|
|
1 members found this post helpful.
|
05-09-2014, 05:16 PM
|
#4
|
Member
Registered: Oct 2012
Location: Raleigh, NC
Distribution: CentOS / RHEL
Posts: 158
Original Poster
Rep:
|
i do understand the ramifications from a full cidr block. i am absolutely confident that blocking all the china inetnum's will be good and we won't be missing any legitimate data that we'll need.
thanks for the help, this is some absolutely helpful info!
|
|
|
05-09-2014, 05:44 PM
|
#5
|
Senior Member
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070
|
There is a tutorial here. That said, it doesn't feel like the best tutorial (or idea) ever.
Why do I say it doesn't feel like the best idea ever? Well, you have to think about efficiency, and that can be done better with ipset, see tut here. (Alternatively, this.)
Then there is the issue of maintainability. this is somewhat dealt with in the first reference, but you'll have something only marginally comprehensible going on (and I haven't spent any time working out what happens if the download of new ip list fails, but you'd want to think about that).
Quote:
Originally Posted by socalheel
i have this one web server that is constantly getting attacked from ip locations from china, vietnam, russia, india, taiwan, etc.
|
It is said that the largest source of inet attacks by absolute number is from the US. It may be quite a different situation by percentage, but the US will have the largest number of internet enabled potential attackers.
Depending on where you are, and what kind of attack we are talking about, you might be better off considering whitelisting rather than blacklisting.
IF this is something like ssh that is under attack, then there are several things that you ought to do. Read this first.
Most people find that just changing the port dramatically reduces the number of ssh attacks - this seems to be because the majority of the attacks are simple scripted jobs (the alternative understanding of this is that you've filtered out the incompetent ones and the ones that are left are just the competent ones, which doesn't sound like quite as good a bargain). My feeling is that relying on a changed port number alone isn't that secure, but in combination with something else (see the samhain article)...
Quote:
Originally Posted by socalheel
i have this one web server that is constantly getting attacked from ip locations from china, vietnam, russia, india, taiwan, etc.
|
The inference that I draw from this is that you have other servers which don't get attacked. Is that right, and is there any reason (for example, different capabilities, etc)?
Quote:
Originally Posted by socalheel
if that is not the feasible approach, does anyone have any ideas on what's the best course of action to take to keep this guys at bay?
|
Well, feasible, yes. But maybe not the best, depending.
|
|
|
05-10-2014, 08:37 AM
|
#6
|
Member
Registered: Oct 2012
Location: Raleigh, NC
Distribution: CentOS / RHEL
Posts: 158
Original Poster
Rep:
|
Quote:
Originally Posted by salasi
The inference that I draw from this is that you have other servers which don't get attacked. Is that right, and is there any reason (for example, different capabilities, etc)?
|
excellent question and you are correct. while i'm not trying to identify specific applications and/or vulnerabilities, this particular server primarily runs a popular website building application and most admins of these websites do not install the updates to address vulnerabilities, and these outdated plugins/apps are being exploited constantly.
i've installed OSSEC server and agent and i blocked a few chinese inetnums and this has already made a HUGE difference. still a ways to go, but it's a start.
|
|
|
05-10-2014, 06:29 PM
|
#7
|
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
|
https://www.countryipblocks.net/country_selection.php
but ipset is the way to go.
I use to have over 5k of .htaccess 'deny' rules for an old site and what a waste of resources.
Last edited by Habitual; 05-10-2014 at 06:32 PM.
|
|
|
All times are GMT -5. The time now is 05:34 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|