Re: Use iptables to block all non-US ssh traffic

From: base60 (nobody_at_whitehouse.com)
Date: 09/17/05 

Date: Sat, 17 Sep 2005 20:53:12 GMT

Moe Trin wrote:
> In the Usenet newsgroup comp.os.linux.security, in article
> <KpIWe.24439$ua.138324@twister.southeast.rr.com>, base60 wrote:
>
>
>>>>What I need is a quick and dirty list of non-US Ip's to block.
>
>
>>>Unfortunately, there is no such list.
>
>
>>Ah, actually, ICANN has a web page that lists which A's are assigned
>>where. Don't recall the URL, but it wasn't hard to find.
>
>
> http://www.iana.org/assignments/ipv4-address-space
>
> Never mind that "Class A" address blocks when out of style in 1993, such
> information is not informative.
>
>
>>>Worse, there can be no such list.
>>
>>Hmmmmmm, I guess no-one told ICANN....
>
>
> I certainly wouldn't want to waste the CPU cycles trying to use such a list.
> The data is easy enough to get from the five RIRs, but there is a ton of it.
> I grab a copy on the 15th of each month.
>
>
>>Correct, but it's a safe bet that the Class As assigned to China etc,
>>aren't being used much in the US :)
>
>
> China has no "Class As".

Sorry, I use China interchangably with APNIC.

>
> [compton ~]$ grep 'CN ' IP.ADDR/stats/[ALR]* | cut -d' ' -f3 | sort | uniq -c
> | column
> 1 255.192.0.0 114 255.254.0.0 101 255.255.240.0
> 2 255.224.0.0 126 255.255.0.0 82 255.255.248.0
> 5 255.240.0.0 82 255.255.128.0 34 255.255.252.0
> 30 255.248.0.0 74 255.255.192.0 21 255.255.254.0
> 55 255.252.0.0 118 255.255.224.0 39 255.255.255.0
> [compton ~]$
>
>
>>Well, starting with the ones assigned to China, Korea, etc., seems like
>>a good start.

Agreed, and my point.

>
>
> [compton ~]$ grep 'CN ' IP.ADDR/stats/[ALR]* | cut -d' ' -f2 | cut -d'.'
> -f1 | sort | uniq -c | sort -n +1 | column
> 38 58 1 134 1 167 70 203 13 220
> 28 59 1 159 1 168 70 210 58 221
> 30 60 1 161 4 192 35 211 63 222
> 70 61 1 162 1 198 46 218
> 11 125 1 166 313 202 27 219
> [compton ~]$ grep 'CN ' IP.ADDR/stats/[ALR]* | grep ' 134\.'
> IP.ADDR/stats/APNIC:CN 134.196.0.0 255.255.0.0 allocated
> [compton ~]$ grep 'KR ' IP.ADDR/stats/[ALR]* | cut -d' ' -f2 | cut -d'.'
> -f1 | sort | uniq -c | sort -n +1 | column
> 11 58 1 137 1 156 8 168 10 218
> 3 59 1 141 1 157 1 169 2 219
> 1 60 1 143 1 158 24 192 10 220
> 13 61 4 147 1 161 20 202 7 221
> 9 125 2 150 3 163 34 203 6 222
> 1 128 2 152 2 164 1 206
> 1 129 1 154 10 165 75 210
> 1 134 1 155 4 166 85 211
> [compton ~]$ grep 'KR ' IP.ADDR/stats/[ALR]* | grep ' 134\.'
> IP.ADDR/stats/APNIC:KR 134.75.0.0 255.255.0.0 allocated
> [compton ~]$
>
> There you go Poopsie! Knock yourself out. But you might want to know before
> you go blocking 134.0.0.0/8 (as one example):
>
> [compton ~]$ grep -h ' 134\.' IP.ADDR/stats/[ALR]* | cut -d' ' -f1 | sort |
> uniq -c | sort +1 | column
> 7 AU 1 DE 1 HK 1 PR
> 8 CA 66 EU 3 JP 1 TW
> 1 CN 1 FI 1 KR 147 US
> [compton ~]$
>
>
>>Also, if you use tcpwrappers, you can toss in a block for all non-US
>>based domains.
>
>
> Just how, exactly? I've just shown that IP blocks are assigned on what
> amounts to be a random basis. Are you going to block on TLDs?

Yes.

> Well, that
> won't work, because .com, .net, .org is assigned world wide, not just the
> US, and anyway you are then trusting the rDNS which isn't exactly the
> smartest thing ever.

Agreed, but please note that I said non-US based and, as you've
noted, .com etc. do not fit that description. I'm referring to .jp etc.

Our default posture is to deny unless explicitly allowed. Using the
TLDs etc. as filters is mostly to reduce the volume of IDS alerts.

If we do wrap someone out, they receive contact info and I find that
legitimate people aren't shy about complaining.

Access complaints are processed by the helpdesk and security incidents
are processed by the CISO's office. The former are clerical and the
latter are rectal :-)

Relevant Pages

  • Woman tops list of Chinas richest people
    ... from the United States for use in China, shot from 36th to pole position in the ... Gome, has been knocked into second place, with his personal wealth thought to be ... the rich lists have mirrored ...
    (soc.culture.malaysia)
  • Re: China Travel Discussion List
    ... further split it into country specific lists. ... Peter spent his time answering questions about China here. ... Peter's list has no archives and Peter heavily "moderates" that list. ... I suspect I shan't be alone in ignoring this suggestion and posting ...
    (rec.travel.asia)
  • Re: China Experience ?
    ... How many of you blackhole ISP's? ... Anyone have a blackhole lists that they can share? ... Subject: China Experience? ... > This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)
  • Re: 6 Countries dont have Scouting?
    ... leaves Andorra, PRO China, Cuba, North Korea, Laos and Myanmar with ... >> China, Cuba, North Korea, Lao Peoples Democratic Republic, Myanmar ... > You could check with the WOSM web site as it lists countries that have WOSM ...
    (uk.rec.scouting)