• Blocking entire domains

    From James H. Markowitz@110:110/2002 to All on Sun Apr 6 03:12:54 2014
    I keep getting breakin attempts from a variety of domains, the
    worst being hinet.net. I would therefore be interested in blocking all IP addresses in this domain with iptables rules. Is this possible? Looking
    into the actual addresses I notice that they seem to be all over the
    place, so iptables might not be the best solution here. Any ideas?

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)
  • From Keith Keller@110:110/2002 to All on Sun Apr 6 03:38:05 2014
    On 2014-04-06, James H. Markowitz <noone@nowhere.net> wrote:
    I keep getting breakin attempts from a variety of domains, the
    worst being hinet.net. I would therefore be interested in blocking all IP addresses in this domain with iptables rules. Is this possible? Looking
    into the actual addresses I notice that they seem to be all over the
    place, so iptables might not be the best solution here. Any ideas?

    An alternative, if your break-in attempts are on a service that supports tcpwrappers, is to make an entry into /etc/hosts.deny blocking all of
    the offending domain's hosts. Something like

    sshd: .offending.domain

    would block access to sshd, or

    ALL: .offending.domain

    would block access to all tcpwrapper-capable services.

    --keith

    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From James H. Markowitz@110:110/2002 to All on Sun Apr 6 14:25:11 2014
    On Sat, 05 Apr 2014 20:38:05 -0700, Keith Keller wrote:

    On 2014-04-06, James H. Markowitz <noone@nowhere.net> wrote:
    I keep getting breakin attempts from a variety of domains, the
    worst being hinet.net. I would therefore be interested in blocking all
    IP addresses in this domain with iptables rules. Is this possible?
    Looking into the actual addresses I notice that they seem to be all
    over the place, so iptables might not be the best solution here. Any
    ideas?

    An alternative, if your break-in attempts are on a service that supports tcpwrappers, is to make an entry into /etc/hosts.deny blocking all of
    the offending domain's hosts. Something like

    sshd: .offending.domain

    would block access to sshd, or

    ALL: .offending.domain

    would block access to all tcpwrapper-capable services.

    Thanks for your suggestion. What I had in mind was for sendmail,
    and after some googling I came across the surprisingly simple iptables incantation:

    iptables -I INPUT -p tcp --dport 25 -m string --string "Host: hinet.net" --algo bm -j DROP

    I haven't had any entries associated with hinet.net addresses in
    my sendmail log file ever since. Hopefully it is not just a coincidence.


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)
  • From Pascal Hambourg@110:110/2002 to All on Sun Apr 6 15:08:13 2014
    Reply-To: pascal.news@plouf.fr.eu.org

    Hello,

    James H. Markowitz a ‚crit :
    I keep getting breakin attempts from a variety of domains, the
    worst being hinet.net. I would therefore be interested in blocking all
    IP addresses in this domain with iptables rules. Is this possible?

    Short answer : no. iptables doesn't know about domains.

    Thanks for your suggestion. What I had in mind was for sendmail,
    and after some googling I came across the surprisingly simple iptables incantation:

    iptables -I INPUT -p tcp --dport 25 -m string --string "Host: hinet.net" --algo bm -j DROP

    Of course this has nothing to do with your original request. I am
    surprised, AFAIK "Host:" string is not part of the SMTP protocol, but
    rather the HTTP protocol. Do the attackers try to speak HTTP to your
    SMTP server ? Also, beware of the side-effects : if this post had be transmitted by mail, your rule may have blocked it because it contains
    the string.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Plouf ! (110:110/2002@linuxnet)
  • From Joe Beanfish@110:110/2002 to All on Mon Apr 7 14:05:37 2014
    On Sun, 06 Apr 2014 03:12:54 +0000, James H. Markowitz wrote:

    I keep getting breakin attempts from a variety of domains, the worst
    being hinet.net. I would therefore be interested in blocking all IP
    addresses in this domain with iptables rules. Is this possible? Looking
    into the actual addresses I notice that they seem to be all over the
    place, so iptables might not be the best solution here. Any ideas?

    Very doable. But ignore "domains", use IP blocks. Use whois to find the
    IP block that contains the offending address. Then decide if you want
    to block that entire IP block.

    Here are some large block allocations you might want to block: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt

    Be more or less selective to your taste.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Moe Trin@110:110/2002 to All on Mon Apr 7 19:12:51 2014
    On Mon, 7 Apr 2014, in the Usenet newsgroup comp.os.linux.networking, in article <lhubbg$f3o$2@dont-email.me>, Joe Beanfish wrote:

    James H. Markowitz wrote:

    I keep getting breakin attempts from a variety of domains,

    "breakin attempts"? In the other part of this thread, you speak of
    sendmail, rather than SSH, telnet, FTP, web server or what-ever.

    the worst being hinet.net. I would therefore be interested in
    blocking all IP addresses in this domain with iptables rules. Is
    this possible? Looking into the actual addresses I notice that they
    seem to be all over the place, so iptables might not be the best
    solution here.

    Hinet is the telephone company in Taiwan and thus one of the largest
    ISPs there. Last I bothered to look, they had over 40 IPv4 blocks
    scattered from 1.x.x.x to 220.x.x.x.

    If you must have your servers accepting incoming connections to all
    135875 network blocks allocated by the five Regional Internet Registries (AfriNIC, APNIC, ARIN, LACNIC and RIPE), you're getting into the "Self
    Denial of Service Attack" zone, where what ever you do is going to cost
    you a lot of CPU cycles, or is going to have a bunch of false positives,
    or both. Your "-m string" rule is a good example of both problems.

    Blocking domains - best done with Wietse Venema's old "TCP Wrapper"
    program (version 7.6 was last updated ~17 years ago). It depends on the offending host having a IP->hostname lookup (DNS PTR record), which
    isn't always the case. It can also block by IP range, but isn't as
    versatile as a full-blown firewall.

    If all you are concerned about is "sendmail", look at the documentation
    of the various milters you can run as part of sendmail. The newsgroup comp.mail.sendmail would be a good place to start.

    Very doable. But ignore "domains", use IP blocks. Use whois to find
    the IP block that contains the offending address. Then decide if you
    want to block that entire IP block.

    The problem with that is that there is a huge number of network blocks allocated/assigned, and the IP registries did not allocate or assign
    those blocks in a manner conducive to blocking. Using 60.x.x.x as an
    example, APNIC assigned that /8 in 83 blocks to eleven countries: AU,
    CN, ID, IN, JP, KP, MO, MY, NZ, TW and US. (Know your ISO-3166 country
    codes?)

    Here are some large block allocations you might want to block:

    Good luck. If we're going to use APNIC as an example, that RIR has
    issued blocks to registrants claiming to be in the following countries:

    AF BT GU KI MN NF PG TK VU
    AP CK HK KP MO NL PH TL WF
    AS CN ID KR MP NP PK TO WS
    AT DE IN LA MU NR PW TV
    AU FJ IO LK MV NU SB TW
    BD FM JP MH MY NZ SG US
    BN GB KH MM NC PF TH VN

    Lessee, AT is Austria, AU is Australia, DE is Germany, GB is England,
    AP is the whole Asia/Pacific region... yeah, real selective that.

    Be more or less selective to your taste.

    Depending on where you WANT to offer services, it may be easier to just
    "ALLOW" certain blocks, and let the default BLOCK or DROP rule handle
    the rest. Or you can try to block each of the 577 IPv4 blocks assigned
    to Taiwan (but don't forget the 76 IPv6 blocks assigned there also) and
    so on. That is better than using a log reader like Blockhosts, BruteForceBlocker, Denyhosts, Fail2ban or SSHguard that tries to block
    one IP address at a time (as of Mar 15, 2014, there were 3549161880 or
    about 3.55 billion IPv4 addresses allocated/assigned by the five RIRs).

    Old guy

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Crash Test Dummy Training Academy (110:110/2002@linuxnet)