Re: Use iptables to block all non-US ssh traffic
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 09/18/05
- Previous message: matt_left_coast: "Re: Use iptables to block all non-US ssh traffic"
- In reply to: matt_left_coast: "Re: Use iptables to block all non-US ssh traffic"
- Next in thread: Brad Olin: "Re: Use iptables to block all non-US ssh traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 17 Sep 2005 21:19:54 -0500
In the Usenet newsgroup comp.os.linux.security, in article
<oZKdnS0Ly6yIO7HeRVn-rQ@rcn.net>, matt_left_coast wrote:
>And even if they are ASSIGNED to companies based in Europe, Russia, and
>a few pieces of North Africa and the Middle East, that is no guarantee
>that the addresses are DEPLOYED in those areas.
Quite so - there are a number of spammers based in BY, EE, RU, and UA
according to the registrations and such. Do a traceroute, and the
hosts are one or at most two hops (and maybe 0.04 msec) from a gateway
router in New York City. But then, what about
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/APNIC | sort -u | column
AF BT GU KH MN NC PF SG VN
AP CH HK KI MO NF PG TH VU
AS CK ID KR MP NP PH TO WS
AU CN IN LA MU NR PK TV
BD FJ IO LK MV NU PW TW
BN GB JP MM MY NZ SB US
[compton ~]$
Do you know your country codes? Then explain CH GB and US.
You also get people with 'vanity domains' registered in places like
Norfolk Island (nf), Tonga (to) or Tuvalu (tv) whose hosts are just
windoze boxes hanging of their Comcast or SBC cable box.
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/ARIN | sort -u | column
AG BB CH FI HU JP LU PR VI
AI BE CZ FR IE KR MX SE
AR BM DE GB IL KY NL SG
AT BS DO GD IT LB NO TR
AU CA ES HK JM LC PL US
[compton ~]$
That's always good for a laugh.
>A multi-national company based in Europe may well get a set of addresses
>from RIPE but USE the addresses in their USA sales offices. In which
>case, if you were trying to allow USA located computers access to your
>web page but block all others and you used the RIPE range of addresses,
>you would be blocking those RIPE assigned addresses deployed in the USA.
>The reverse is true for those address assigned by ARIN.
Yeah, but unless "sales.washington.foo.bar.bz" actually DNSs to some
US assigned address, you _probably_ connect to them through some site in
their home country. Example - my company is registered in New York state,
but if you traceroute to us, the last thing you see is BBN near San Jose,
California. I'm not there either - and the company has subnets on five
continents and twentynine countries. We recently had a little to-do with
a local pizza joint here (Arizona), who refused our connections, because
"you are in New York (or California)". So we don't order pizza from his
web site for those late afternoon or evening munchies. Imagine the poor
workers in France or Japan who also appear to be in New York (or California).
If you try to connect to our web site from Asia, you'll be routed to
points of presence there (and not using our address space). Send mail
from China to our company, and it ends up in an office in Shanghai
(where they can read Big8). Again those hosts are not in our primary
block, but are using 203.x.x.x addresses we get from some Chinese ISP.
The _hostnames_ are in our company zone, but packets from Asian customers
stay in Asia, rather than being routed via California. There is also this
bit about "time zones". It's done by the magic of DNS.
Old guy
- Previous message: matt_left_coast: "Re: Use iptables to block all non-US ssh traffic"
- In reply to: matt_left_coast: "Re: Use iptables to block all non-US ssh traffic"
- Next in thread: Brad Olin: "Re: Use iptables to block all non-US ssh traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
