Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-09-2006, 05:59 AM
|
#1
|
Senior Member
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380
Rep:
|
Determine IP address blocks owned an ISP to stop hacking attempts
I have continuous telnets to my Postfix server on port 25 from hinet.net (Taiwan). They are looking for a mail relay which never succeeds. My logs are always full of attempts and I want to stop connections from their servers. They have a multitude of ip blocks. So far I have just been doing a whois search on each ip address as they appear and adding the range to my firewall.
There must be a way of determining the ip blocks owned by this organisation so that they can be added to the firewall. Does anyone know whether it possible to find this info?
|
|
|
09-09-2006, 07:52 AM
|
#3
|
Senior Member
Registered: Jun 2006
Location: Hyderabad, India
Distribution: Fedora
Posts: 1,191
Rep:
|
I use a program called neotrace on windows, this is the info that it gave out
Quote:
Name: www.hinet.net
IP Address: 203.66.88.89
Location: Taipei (25.017N, 121.367E)
Network: HINET-TW
Registrant:
Internet Dept., DCBG, Chunghwa Telecom Co., Ltd
Data-Bldg, No. 21 Sec.1, Hsin-Yi Rd
Taipei, Taiwan 100
TW
Domain servers in listed order:
HNTP1.HINET.NET 168.95.192.1
HNTP3.HINET.NET 168.95.192.2
DNS.HINET.NET 168.95.1.1
inetnum: 203.66.0.0 - 203.66.255.255
netname: HINET-TW
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
country: TW
admin-c: HN27-AP
tech-c: HN28-AP
|
hope this helps
|
|
|
09-09-2006, 08:26 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
The first question I think should be if it's necessary to run a publicly accessable MTA and if so what precautions you took to block illegitimate access because IP range blocking is a last resort option, not without problems and it means *you* have to make repeated efforts to keep up with changes.
They are looking for a mail relay which never succeeds. My logs are always full of attempts
So in essence there really is no problem (doesn't succeed) but you're only concerned about logfile entries, right?
Using plain WHOIS output will be a problem because it doesn't cover the whole AS. Using low resolution ranges will be a problem if the AS block is as hole-ridden as the proverbial swiss cheese (say 59.0.0.0/8 but not 59.120.0.0/14) which means you could be blocking possibly legitimate access. Thats why you use AS information. You'll have to flush the chains say once a month because CIDR blocks are updated regularly and even then (like Hakusan says) you may encounter incomplete ranges. For the script I choose CIDR-report because it seems more up to date. The Hakusan solution is easy: basically you find the ASN the IP is in (sites like CIDR-report or Fixedorbit), then query those sites for the details and add those to your firewall.
Here's an example (w/o input checks!) for blocking AS3462 (HINET AS 1 of 3):
Code:
/sbin/iptables -N CIDRBLOCKS; links -dump "http://www.cidr-report.org/cgi-bin/as-report?as=3462"\
|grep "/[0-9]\{1,3\})"|awk '{print $NF}'|while read range; do range=${range//(/}; range=${range//)/};
/sbin/iptables -A CIDRBLOCKS -s ${range} -j DROP; done
Any corrections welcome.
|
|
|
09-09-2006, 10:46 AM
|
#5
|
LQ Sage
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~amd64
Posts: 7,675
Rep:
|
|
|
|
09-09-2006, 04:52 PM
|
#6
|
Senior Member
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380
Original Poster
Rep:
|
Thanks for all your input. Whilst the Postfix rules stop the relays, people who telnet into the server like this are generally up to no good anyway and I would prefer to keep them at arms length and hence the enquiry.
|
|
|
All times are GMT -5. The time now is 01:11 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|