LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Determine IP address blocks owned an ISP to stop hacking attempts (https://www.linuxquestions.org/questions/linux-security-4/determine-ip-address-blocks-owned-an-isp-to-stop-hacking-attempts-481822/)

TigerOC 09-09-2006 04:59 AM
Determine IP address blocks owned an ISP to stop hacking attempts
 
I have continuous telnets to my Postfix server on port 25 from hinet.net (Taiwan). They are looking for a mail relay which never succeeds. My logs are always full of attempts and I want to stop connections from their servers. They have a multitude of ip blocks. So far I have just been doing a whois search on each ip address as they appear and adding the range to my firewall.
There must be a way of determining the ip blocks owned by this organisation so that they can be added to the firewall. Does anyone know whether it possible to find this info?

gilead 09-09-2006 06:10 AM
Have a look at http://www.hakusan.tsg.ne.jp/tjkawa/...er/index-e.jsp, I've used the info there previously and it works. There's also the geoip match howto at http://people.netfilter.org/peejix/g...OWTO.html#toc2 but I haven't used it so I can't really comment on it...

w3bd3vil 09-09-2006 06:52 AM
I use a program called neotrace on windows, this is the info that it gave out
Quote:
Name: www.hinet.net
IP Address: 203.66.88.89
Location: Taipei (25.017N, 121.367E)
Network: HINET-TW

Registrant:
Internet Dept., DCBG, Chunghwa Telecom Co., Ltd
Data-Bldg, No. 21 Sec.1, Hsin-Yi Rd
Taipei, Taiwan 100
TW
Domain servers in listed order:

HNTP1.HINET.NET 168.95.192.1
HNTP3.HINET.NET 168.95.192.2
DNS.HINET.NET 168.95.1.1
inetnum: 203.66.0.0 - 203.66.255.255
netname: HINET-TW
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
country: TW
admin-c: HN27-AP
tech-c: HN28-AP
hope this helps

unSpawn 09-09-2006 07:26 AM
The first question I think should be if it's necessary to run a publicly accessable MTA and if so what precautions you took to block illegitimate access because IP range blocking is a last resort option, not without problems and it means *you* have to make repeated efforts to keep up with changes.


They are looking for a mail relay which never succeeds. My logs are always full of attempts
So in essence there really is no problem (doesn't succeed) but you're only concerned about logfile entries, right?


Using plain WHOIS output will be a problem because it doesn't cover the whole AS. Using low resolution ranges will be a problem if the AS block is as hole-ridden as the proverbial swiss cheese (say 59.0.0.0/8 but not 59.120.0.0/14) which means you could be blocking possibly legitimate access. Thats why you use AS information. You'll have to flush the chains say once a month because CIDR blocks are updated regularly and even then (like Hakusan says) you may encounter incomplete ranges. For the script I choose CIDR-report because it seems more up to date. The Hakusan solution is easy: basically you find the ASN the IP is in (sites like CIDR-report or Fixedorbit), then query those sites for the details and add those to your firewall.
Here's an example (w/o input checks!) for blocking AS3462 (HINET AS 1 of 3):
Code:
/sbin/iptables -N CIDRBLOCKS; links -dump "http://www.cidr-report.org/cgi-bin/as-report?as=3462"\
|grep "/[0-9]\{1,3\})"|awk '{print $NF}'|while read range; do range=${range//(/}; range=${range//)/};
/sbin/iptables -A CIDRBLOCKS -s ${range} -j DROP; done
Any corrections welcome.

Emerson 09-09-2006 09:46 AM
You may consider joining http://www.mynetwatchman.com/

TigerOC 09-09-2006 03:52 PM
Thanks for all your input. Whilst the Postfix rules stop the relays, people who telnet into the server like this are generally up to no good anyway and I would prefer to keep them at arms length and hence the enquiry.


All times are GMT -5. The time now is 05:21 PM.