SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
First of all, my apologies to all the chinese and russian Slackware users in this forum. But here goes.
I'm running a few dedicated servers for clients, with a handful of specialized services like library management or school management. It's all more or less running on LAMP servers and supposed to be accessed around here, meaning in South France.
I have many hostile connections on these machines, mostly brute force attempts, which I keep out with a couple of iptables rules limiting the number of connections per minute. Only I'm facing a real tsunami here, and I thought about a more radical solution.
Is there a way to block whole countries using iptables? I've tracerouted some folks back, and they seem to originate mostly from China and Russia, with the odd Nigerian IP.
I do something similar with some of my servers, using the "reject" function of the "route" utility.
For instance:
route add -net 46.29.250.0 netmask 255.255.255.0 reject
The real way to do this is with a firewall rule, but "route" has been good enough that I haven't bothered. Maybe someone else will show us how to do that, to both our benefits.
Last edited by ttk; 06-04-2013 at 02:43 PM.
Reason: added route example
To see the address range(s) of the offending networks, run "whois" on the dotted IP address. For instance, "whois 46.29.250.191" shows that the address originates from a network owned by someone in Tallinn, Estonia, and has a range of 46.29.250.0 - 46.29.251.255.
The example command I gave in my previous post blocked the lower half of that range.
Also, if you unzip http://mixoftech.com/downloads/windo...all_script.zip you will find a file named windows_firewall_script/BlockList.txt which purports to contain all of the address ranges for China, Russia, and Iran. It's a start.
Any way to just allow your known users instead of trying to block ranges?
I would agree that a whitelist is a better idea. Even if hack attempts seem to be coming from these countries, that doesn't mean that's where the hackers/crackers are.
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Rep:
I've done it using lists such as given by @nikosis (in my case, http://www.countryipblocks.net/), using a little AWK program to format them into IPTABLES directives. Works wonderfully.
When I start to see crap coming from somewhere that would have zero interest in my servers, I simply block the entire country and be done with it. That might be harsh, but anyplace that encourages (or sponsors!) these sorts of activities I have no reason to allow them on the property as it were.
Don't forget Korea (both of them) and, possibly, Brazil (seen a lot of activity from them).
You may want to check Internet Storm Center https://isc.sans.edu/ for other candidates -- China seems to be the largest offender but, alas, there are (too many) others...
You may want to check Internet Storm Center https://isc.sans.edu/ for other candidates -- China seems to be the largest offender but, alas, there are (too many) others...
First of all, my apologies to all the chinese and russian Slackware users in this forum. But here goes.
I'm running a few dedicated servers for clients, with a handful of specialized services like library management or school management. It's all more or less running on LAMP servers and supposed to be accessed around here, meaning in South France.
I have many hostile connections on these machines, mostly brute force attempts, which I keep out with a couple of iptables rules limiting the number of connections per minute. Only I'm facing a real tsunami here, and I thought about a more radical solution.
Is there a way to block of whole countries using iptables? I've tracerouted some folks back, and they seem to originate mostly from China and Russia, with the odd Nigerian IP.
Any suggestions?
I believe that shutting down whole countries is a frakking bad practice, because you have also shutdown a very huge number of (posible) friendly users.
And, always you have a very elegant solution to close the gates, using ssh keys autentification and shutting down completely the ssh login access.
Also, there are methods of automatically blocking (also punctually) the users which attempts brute force attacks.
Take care and ... consider that blocking whole countries is considered a (very) xenophobic thing in the world of servers administration.
Last edited by Darth Vader; 06-05-2013 at 08:24 AM.
Take care and ... consider that blocking whole countries is considered a (very) xenophobic thing in the world of servers administration.
I agree. I know many people blame China and Russia, but there is no proof that these hack attempts actually come from these countries. They can be routed through servers there and appear to be coming from there.
There are better, nicer, more elegant solutions. But, I guess nobody can be bothered.
If only people you know should be accessing your servers, then whitelist only them and block everyone else. If everyone else should be accessing your servers then use smart methods to detect attacks and block them automatically. I am very much against IP range banning. I have been the victim of this many times and in many places.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.