Determine IP address blocks owned an ISP to stop hacking attempts
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Determine IP address blocks owned an ISP to stop hacking attempts
I have continuous telnets to my Postfix server on port 25 from hinet.net (Taiwan). They are looking for a mail relay which never succeeds. My logs are always full of attempts and I want to stop connections from their servers. They have a multitude of ip blocks. So far I have just been doing a whois search on each ip address as they appear and adding the range to my firewall.
There must be a way of determining the ip blocks owned by this organisation so that they can be added to the firewall. Does anyone know whether it possible to find this info?
The first question I think should be if it's necessary to run a publicly accessable MTA and if so what precautions you took to block illegitimate access because IP range blocking is a last resort option, not without problems and it means *you* have to make repeated efforts to keep up with changes.
They are looking for a mail relay which never succeeds. My logs are always full of attempts
So in essence there really is no problem (doesn't succeed) but you're only concerned about logfile entries, right?
Using plain WHOIS output will be a problem because it doesn't cover the whole AS. Using low resolution ranges will be a problem if the AS block is as hole-ridden as the proverbial swiss cheese (say 59.0.0.0/8 but not 59.120.0.0/14) which means you could be blocking possibly legitimate access. Thats why you use AS information. You'll have to flush the chains say once a month because CIDR blocks are updated regularly and even then (like Hakusan says) you may encounter incomplete ranges. For the script I choose CIDR-report because it seems more up to date. The Hakusan solution is easy: basically you find the ASN the IP is in (sites like CIDR-report or Fixedorbit), then query those sites for the details and add those to your firewall.
Here's an example (w/o input checks!) for blocking AS3462 (HINET AS 1 of 3):
Thanks for all your input. Whilst the Postfix rules stop the relays, people who telnet into the server like this are generally up to no good anyway and I would prefer to keep them at arms length and hence the enquiry.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.