Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I keep getting these nice authentication failures that have a hostname of:
rhost=50-56-125-156.static.cloud-ips.com
I am trying to find out what the correct IP address range to block to filter all incoming connections to my network from the static.cloud-ips.com network..
So far I have been unsuccessful in finding out what there network address really is.
Whois didn't give much info,
nslookup has nothing,
dig had very little helpfull info.
Actually that's not true. static.cloud-ips.com serves 3 prefixes: 50.56.128.0/17, 207.97.192.0/18 and 67.23.0.0/19, all Rackspace. I'm not saying that's complete wrt prefix coverage or that there aren't any other ranges in other ASN's.
Actually that's not true. static.cloud-ips.com serves 3 prefixes: 50.56.128.0/17, 207.97.192.0/18 and 67.23.0.0/19, all Rackspace. I'm not saying that's complete wrt prefix coverage or that there aren't any other ranges in other ASN's.
Ill block all those too. Kinda strange that nothing is done about people abusing that service though. I seen plenty of articals on the internet complaining about people hiding behind cloud ip serveries doing this...
Practically speaking if you're going to block ranges or whole net blocks then for "established" ranges things don't change around but otherwise 0) be sure to check regularly if they're still valid and if there are any holes in a range and 1) don't clog up your filter table input chain with it but use the raw table. Even better: use ipset. It makes managing rules virtually painless.
Quote:
Originally Posted by Gortex
Kinda strange that nothing is done about people abusing that service though. I seen plenty of articals on the internet complaining about people hiding behind cloud ip serveries doing this...
Practically speaking if you're going to block ranges or whole net blocks then for "established" ranges things don't change around but otherwise 0) be sure to check regularly if they're still valid and if there are any holes in a range and 1) don't clog up your filter table input chain with it but use the raw table. Even better: use ipset. It makes managing rules virtually painless.
Sorry, doing what exactly? (Examples?)
well I got about 5000 hits from random addresses on there network, trying to brute force my SSH service.
Other people have other types of break in attempts they were reporting...
I keep getting these nice authentication failures that have a hostname of:
rhost=50-56-125-156.static.cloud-ips.com
In attempt to answer the question you didn't ask: this type of occurrence underscores the importance of properly securing your system and applying your security in layers. By your post, I assume that you mean SSH authentication failures. While blocking the whole IP ranges may help cut down on some of the clutter, it does come with potential downsides and possible unintended consequences. For example, you may say that you would never login from XYZ domain, which may be true until you are staying at a hotel somewhere. Second, if these addresses are spoofed or making use of compromised systems, the attempts can easily come from somewhere else. Third, as unSpawn alluded to, IPv4 address ranges are somewhat dynamic and do change.
While I am not saying don't implement block lists (I myself do, especially with regards to emails), be sure that you are using them in conjunction with other, more reliable means of security.
Edit: Followup
Quote:
well I got about 5000 hits from random addresses on there network
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.