How to block IP range of China Russia and other countries.
 

My server was attacked by china, russia, and from other countries via ssh. I use ssh from other part of the network like internet to access my home server. I just want to know how to add ip range of other country in hosts.deny file.

Think Again.
 

Does "attack" mean successfully logged into your server? Or, does it mean script kiddies banging away at ssh with a dictionary attack and never getting in. If it's the latter, it never ends.

If you really want to block IP's then the firewall is the better place to implement this. Iptables has everything you need.

Maybe you should consider switching to PKI authentication for ssh? 'Easier' solutions are changing the port ssh listens on and using strong passwords.

The OP should elaborate but it seems like he's hinting at brute force attempts, which is NOT scanning, no matter how automated it is and no matter if its script-kiddie-ish. They key words you used were "dictionary attack".

Scanning is one thing. Attacking is another. We all interpret things differently, but those bruteforce attempts are actual login attempts (and nothing like nmap scanning [not saying that that's condoned, either])...

He can block this via the sshd config file, use denyhosts or any other host-level autoblocking tool, or even use a local (or network) firewall. All of this and more is covered in the "SSH" sticky thread at the top of the security forums.

Also, if you're willing to consider using iptables instead, I posted one possible approach here. If you still want to use hosts.deny, tweaking my instructions should be a snap. Personally, I'd stick to iptables, as it ensures that your SSH daemon never sees any packets from those IPs – at all.

This page may be of interest to the OP and contains a list of IP ranges for the regions with the highest level of malicious traffic. http://www.countryipblocks.net/

Personally, I think that blocking such ranges in an attempt to gain security is a futile effort at best. While you may cut down on some of the noise traffic, the only thing you will accomplish is to guarantee is that whoever gains access to your system either originates from or proxies through a different region.

You efforts would be MUCH better spent securing your system against ALL attacks. The previous posts in this thread have already given you the tools on how to do this.

Excellent point. Of course, blocking IP ranges which you know you'll never be accessing from (and from which you're seeing attacks) is still a good idea, and shouldn't be discarded (whether it's part of a broader approach or not). Hopefully when the OP replies we'll get a feel for how much effort he is willing to dedicate into hardening his SSH daemon. I'm also looking forward to his responses to the requests for clarification he received here, as this could possibly be a compromised machine we're dealing with, which would change everything.

Unixfool, I am also using denyhosts to block login attempt more then 3 time. But I didn't block ssh in denyhosts file because it blocks all the ip addresses. I don't want to block ip address from where I work. Last time it my server at home blocked ip address of my company where I work, and I wasn't able to get in until I stop denyhost service and remove that ip address from hosts.deny file.

Guys, I also configured iptable as it was shown on this discussion and let see how it works. One more question how to check if iptables drops the packet to responed incoming attack?

There is a whitelist option that you can use to prevent this.

I haven't seen the iptables config (yet) but you can configure the firewall to log THEN drop. It should record the logs in your syslog (or where ever you're telling it to log).

What is white list?

It is a listing of IPs that should not be blocked by denyhosts.

Okay, and how do I set that up?

Okay, I created file in /use/share/denyhosts/data/allowed.hosts and I added some ip addresses to allow. But I want to know if I have to do anything else in denyhosts configuration file?

Just seeing this now.

I suggest reading the whole FAQ, then maybe googling denyhosts to determine how others are using it and how others are configuring it....visiting the denyhosts webpage should be enough, though.

FULL ANSWER :
linux .opennet .ru /tips /info/ 1969.shtml

GO TO TRANSLATE.GOOGLE.COM