How to block all requests from sudomains like *.dynamic-ip.hinet.net
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to block all requests from sudomains like *.dynamic-ip.hinet.net
hi,
i'm getting a massive attack requests from different subomains like
36-225-122-51.dynamic-ip.hinet.net
36-226-148-210111-249-1-88.dynamic.hinet.net
111-249-5-234.dynamic.hinet.net
111-249-1-88.dynamic.hinet.net
etc
etc....
how on a debian wheezy can i simply block all request comming from the
subdomains *.dynamic.hinet.net
or block just the root domain with its subdomains.
You might want to actually tell us what kind of requests these are.... HTTP requests??
At a network level you can't realistically block it by domain *name*, that's too resource intensive and never done. However, those are (presumably) home user IP ranges on that ISP, and as such will all come from a set of fixed ranges. if you look up the IP's http://wq.apnic.net/apnic-bin/whois.pl you can see the range that they come from:
Code:
inetnum: 111.249.0.0 - 111.249.127.255
netname: HINET-NET
descr: Taipei Taiwan
country: TW
admin-c: HN184-TW
tech-c: HN184-TW
mnt-by: MAINT-TW-TWNIC
remarks: This information has been partially mirrored by APNIC from
remarks: TWNIC. To obtain more specific information, please use the
remarks: TWNIC whois server at whois.twnic.net.
changed: network-adm@hinet.net 20100428
status: ASSIGNED NON-PORTABLE
source: TWNIC
so an iptables rule for 111.249.0.0/17 would cover two of those 4 examples.
Out of curiosity, since we're talking about hinet.net, are you perchance running a mail server? If so, I would recommend subscribing and using one of the RBL service as this will reject the vast majority of their attempts.
yes, running a postfix/courier mail server on a Debian Wheezy mininal.
all are smtp requests, still today and never so massively, always with a new ip addresses when one get dropped, if not, they go on stubbornly knocking on.
the postfix is blocking them, i'm getting this kind of log when a client tries to send via smtp but not deliver any authentication.
Jan 17 03:03:42 postfix/smtpd[20319]: NOQUEUE: reject: RCPT from 1-171-230-239.dynamic.hinet.net[1.171.230.239]: 450 4.7.1 Helo command rejected: Host not found; from=<cvimaabj@yahoo.com> to=<a83f@yahoo.com.tw> proto=SMTP helo
i have fail2ban installed but it not cover this,i think because the hin.net crowd not even try to authenticate themselves.
RBL service:
i put those to my smtpd_recipient_restrictions
You could try postgrey or policyd-weight and also set connection limits, the policy servers drop connections after basic connection info is established which reduces the resource demands of accepting and processing. The conection limits also slow them down a lot, I once had a host that tried to connect every second so I limited connections to 4 a minute and only 1 at a time.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.