How to block IP range of China Russia and other countries.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to block IP range of China Russia and other countries.
My server was attacked by china, russia, and from other countries via ssh. I use ssh from other part of the network like internet to access my home server. I just want to know how to add ip range of other country in hosts.deny file.
Click here to see the post LQ members have rated as the most helpful post in this thread.
Does "attack" mean successfully logged into your server? Or, does it mean script kiddies banging away at ssh with a dictionary attack and never getting in. If it's the latter, it never ends.
If you really want to block IP's then the firewall is the better place to implement this. Iptables has everything you need.
Maybe you should consider switching to PKI authentication for ssh? 'Easier' solutions are changing the port ssh listens on and using strong passwords.
Does "attack" mean successfully logged into your server? Or, does it mean script kiddies banging away at ssh with a dictionary attack and never getting in. If it's the latter, it never ends.
If you really want to block IP's then the firewall is the better place to implement this. Iptables has everything you need.
Maybe you should consider switching to PKI authentication for ssh? 'Easier' solutions are changing the port ssh listens on and using strong passwords.
The OP should elaborate but it seems like he's hinting at brute force attempts, which is NOT scanning, no matter how automated it is and no matter if its script-kiddie-ish. They key words you used were "dictionary attack".
Scanning is one thing. Attacking is another. We all interpret things differently, but those bruteforce attempts are actual login attempts (and nothing like nmap scanning [not saying that that's condoned, either])...
He can block this via the sshd config file, use denyhosts or any other host-level autoblocking tool, or even use a local (or network) firewall. All of this and more is covered in the "SSH" sticky thread at the top of the security forums.
My server was attacked by china, russia, and from other countries via ssh. I use ssh from other part of the network like internet to access my home server. I just want to know how to add ip range of other country in hosts.deny file.
Also, if you're willing to consider using iptables instead, I posted one possible approach here. If you still want to use hosts.deny, tweaking my instructions should be a snap. Personally, I'd stick to iptables, as it ensures that your SSH daemon never sees any packets from those IPs – at all.
This page may be of interest to the OP and contains a list of IP ranges for the regions with the highest level of malicious traffic. http://www.countryipblocks.net/
Personally, I think that blocking such ranges in an attempt to gain security is a futile effort at best. While you may cut down on some of the noise traffic, the only thing you will accomplish is to guarantee is that whoever gains access to your system either originates from or proxies through a different region.
You efforts would be MUCH better spent securing your system against ALL attacks. The previous posts in this thread have already given you the tools on how to do this.
You efforts would be MUCH better spent securing your system against ALL attacks.
Excellent point. Of course, blocking IP ranges which you know you'll never be accessing from (and from which you're seeing attacks) is still a good idea, and shouldn't be discarded (whether it's part of a broader approach or not). Hopefully when the OP replies we'll get a feel for how much effort he is willing to dedicate into hardening his SSH daemon. I'm also looking forward to his responses to the requests for clarification he received here, as this could possibly be a compromised machine we're dealing with, which would change everything.
The OP should elaborate but it seems like he's hinting at brute force attempts, which is NOT scanning, no matter how automated it is and no matter if its script-kiddie-ish. They key words you used were "dictionary attack".
Scanning is one thing. Attacking is another. We all interpret things differently, but those bruteforce attempts are actual login attempts (and nothing like nmap scanning [not saying that that's condoned, either])...
He can block this via the sshd config file, use denyhosts or any other host-level autoblocking tool, or even use a local (or network) firewall. All of this and more is covered in the "SSH" sticky thread at the top of the security forums.
Unixfool, I am also using denyhosts to block login attempt more then 3 time. But I didn't block ssh in denyhosts file because it blocks all the ip addresses. I don't want to block ip address from where I work. Last time it my server at home blocked ip address of my company where I work, and I wasn't able to get in until I stop denyhost service and remove that ip address from hosts.deny file.
Guys, I also configured iptable as it was shown on this discussion and let see how it works. One more question how to check if iptables drops the packet to responed incoming attack?
Last time it my server at home blocked ip address of my company where I work, and I wasn't able to get in until I stop denyhost service and remove that ip address from hosts.deny file.
There is a whitelist option that you can use to prevent this.
Quote:
Originally Posted by rahilmaknojia
Guys, I also configured iptable as it was shown on this discussion and let see how it works. One more question how to check if iptables drops the packet to responed incoming attack?
I haven't seen the iptables config (yet) but you can configure the firewall to log THEN drop. It should record the logs in your syslog (or where ever you're telling it to log).
Okay, I created file in /use/share/denyhosts/data/allowed.hosts and I added some ip addresses to allow. But I want to know if I have to do anything else in denyhosts configuration file?
Last edited by rahilmaknojia; 06-25-2010 at 12:55 PM.
Okay, I created file in /use/share/denyhosts/data/allowed.hosts and I added some ip addresses to allow. But I want to know if I have to do anything else in denyhosts configuration file?
Just seeing this now.
I suggest reading the whole FAQ, then maybe googling denyhosts to determine how others are using it and how others are configuring it....visiting the denyhosts webpage should be enough, though.
My server was attacked by china, russia, and from other countries via ssh. I use ssh from other part of the network like internet to access my home server. I just want to know how to add ip range of other country in hosts.deny file.
FULL ANSWER :
linux .opennet .ru /tips /info/ 1969.shtml
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
How to block IP range of China Russia and other countries.
