Determine IP address blocks owned an ISP to stop hacking attempts

TigerOC · 09-09-2006, 04:59 AM

I have continuous telnets to my Postfix server on port 25 from hinet.net (Taiwan). They are looking for a mail relay which never succeeds. My logs are always full of attempts and I want to stop connections from their servers. They have a multitude of ip blocks. So far I have just been doing a whois search on each ip address as they appear and adding the range to my firewall.
There must be a way of determining the ip blocks owned by this organisation so that they can be added to the firewall. Does anyone know whether it possible to find this info?

gilead · 09-09-2006, 06:10 AM

Have a look at http://www.hakusan.tsg.ne.jp/tjkawa/...er/index-e.jsp, I've used the info there previously and it works. There's also the geoip match howto at http://people.netfilter.org/peejix/g...OWTO.html#toc2 but I haven't used it so I can't really comment on it...

w3bd3vil · 09-09-2006, 06:52 AM

I use a program called neotrace on windows, this is the info that it gave out

Quote:

Name: www.hinet.net
IP Address: 203.66.88.89
Location: Taipei (25.017N, 121.367E)
Network: HINET-TW

Registrant:
Internet Dept., DCBG, Chunghwa Telecom Co., Ltd
Data-Bldg, No. 21 Sec.1, Hsin-Yi Rd
Taipei, Taiwan 100
TW
Domain servers in listed order:

HNTP1.HINET.NET 168.95.192.1
HNTP3.HINET.NET 168.95.192.2
DNS.HINET.NET 168.95.1.1
inetnum: 203.66.0.0 - 203.66.255.255
netname: HINET-TW
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
country: TW
admin-c: HN27-AP
tech-c: HN28-AP

hope this helps

unSpawn · 09-09-2006, 07:26 AM

The first question I think should be if it's necessary to run a publicly accessable MTA and if so what precautions you took to block illegitimate access because IP range blocking is a last resort option, not without problems and it means *you* have to make repeated efforts to keep up with changes.

They are looking for a mail relay which never succeeds. My logs are always full of attempts
So in essence there really is no problem (doesn't succeed) but you're only concerned about logfile entries, right?

Using plain WHOIS output will be a problem because it doesn't cover the whole AS. Using low resolution ranges will be a problem if the AS block is as hole-ridden as the proverbial swiss cheese (say 59.0.0.0/8 but not 59.120.0.0/14) which means you could be blocking possibly legitimate access. Thats why you use AS information. You'll have to flush the chains say once a month because CIDR blocks are updated regularly and even then (like Hakusan says) you may encounter incomplete ranges. For the script I choose CIDR-report because it seems more up to date. The Hakusan solution is easy: basically you find the ASN the IP is in (sites like CIDR-report or Fixedorbit), then query those sites for the details and add those to your firewall.
Here's an example (w/o input checks!) for blocking AS3462 (HINET AS 1 of 3):

Code:

/sbin/iptables -N CIDRBLOCKS; links -dump "http://www.cidr-report.org/cgi-bin/as-report?as=3462"\
|grep "/[0-9]\{1,3\})"|awk '{print $NF}'|while read range; do range=${range//(/}; range=${range//)/}; 
/sbin/iptables -A CIDRBLOCKS -s ${range} -j DROP; done

Any corrections welcome.

Emerson · 09-09-2006, 09:46 AM

You may consider joining http://www.mynetwatchman.com/

TigerOC · 09-09-2006, 03:52 PM

Thanks for all your input. Whilst the Postfix rules stop the relays, people who telnet into the server like this are generally up to no good anyway and I would prefer to keep them at arms length and hence the enquiry.