LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-09-2006, 05:59 AM   #1
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
Determine IP address blocks owned an ISP to stop hacking attempts


I have continuous telnets to my Postfix server on port 25 from hinet.net (Taiwan). They are looking for a mail relay which never succeeds. My logs are always full of attempts and I want to stop connections from their servers. They have a multitude of ip blocks. So far I have just been doing a whois search on each ip address as they appear and adding the range to my firewall.
There must be a way of determining the ip blocks owned by this organisation so that they can be added to the firewall. Does anyone know whether it possible to find this info?
 
Old 09-09-2006, 07:10 AM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
Have a look at http://www.hakusan.tsg.ne.jp/tjkawa/...er/index-e.jsp, I've used the info there previously and it works. There's also the geoip match howto at http://people.netfilter.org/peejix/g...OWTO.html#toc2 but I haven't used it so I can't really comment on it...
 
Old 09-09-2006, 07:52 AM   #3
w3bd3vil
Senior Member
 
Registered: Jun 2006
Location: Hyderabad, India
Distribution: Fedora
Posts: 1,191

Rep: Reputation: 49
I use a program called neotrace on windows, this is the info that it gave out
Quote:
Name: www.hinet.net
IP Address: 203.66.88.89
Location: Taipei (25.017N, 121.367E)
Network: HINET-TW

Registrant:
Internet Dept., DCBG, Chunghwa Telecom Co., Ltd
Data-Bldg, No. 21 Sec.1, Hsin-Yi Rd
Taipei, Taiwan 100
TW
Domain servers in listed order:

HNTP1.HINET.NET 168.95.192.1
HNTP3.HINET.NET 168.95.192.2
DNS.HINET.NET 168.95.1.1
inetnum: 203.66.0.0 - 203.66.255.255
netname: HINET-TW
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
country: TW
admin-c: HN27-AP
tech-c: HN28-AP
hope this helps
 
Old 09-09-2006, 08:26 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
The first question I think should be if it's necessary to run a publicly accessable MTA and if so what precautions you took to block illegitimate access because IP range blocking is a last resort option, not without problems and it means *you* have to make repeated efforts to keep up with changes.


They are looking for a mail relay which never succeeds. My logs are always full of attempts
So in essence there really is no problem (doesn't succeed) but you're only concerned about logfile entries, right?


Using plain WHOIS output will be a problem because it doesn't cover the whole AS. Using low resolution ranges will be a problem if the AS block is as hole-ridden as the proverbial swiss cheese (say 59.0.0.0/8 but not 59.120.0.0/14) which means you could be blocking possibly legitimate access. Thats why you use AS information. You'll have to flush the chains say once a month because CIDR blocks are updated regularly and even then (like Hakusan says) you may encounter incomplete ranges. For the script I choose CIDR-report because it seems more up to date. The Hakusan solution is easy: basically you find the ASN the IP is in (sites like CIDR-report or Fixedorbit), then query those sites for the details and add those to your firewall.
Here's an example (w/o input checks!) for blocking AS3462 (HINET AS 1 of 3):
Code:
/sbin/iptables -N CIDRBLOCKS; links -dump "http://www.cidr-report.org/cgi-bin/as-report?as=3462"\
|grep "/[0-9]\{1,3\})"|awk '{print $NF}'|while read range; do range=${range//(/}; range=${range//)/}; 
/sbin/iptables -A CIDRBLOCKS -s ${range} -j DROP; done
Any corrections welcome.
 
Old 09-09-2006, 10:46 AM   #5
Emerson
LQ Sage
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~amd64
Posts: 7,675

Rep: Reputation: Disabled
You may consider joining http://www.mynetwatchman.com/
 
Old 09-09-2006, 04:52 PM   #6
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Original Poster
Rep: Reputation: 49
Thanks for all your input. Whilst the Postfix rules stop the relays, people who telnet into the server like this are generally up to no good anyway and I would prefer to keep them at arms length and hence the enquiry.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
stop ssh attempts with limitssh teddymills Linux - Security 2 12-14-2005 08:24 PM
my isp blocks SMTP port ultrax Linux - Networking 14 08-05-2005 10:16 PM
Gentoo Postfix Isp blocks port 25 sleepyhead Linux - Networking 4 10-08-2004 03:21 AM
ISP Blocks Port 80!! Grrr Scotty2435 Linux - General 5 01-03-2002 12:20 AM
Tools to trick hacking attempts? LionKing Linux - Security 5 07-01-2001 03:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration