Re: Use iptables to block all non-US ssh traffic

From: base60 (nobody_at_whitehouse.com)
Date: 09/18/05

  • Next message: matt_left_coast: "Re: Use iptables to block all non-US ssh traffic" 
    Date: Sun, 18 Sep 2005 04:53:53 GMT

    Moe Trin wrote:
    > In the Usenet newsgroup comp.os.linux.security, in article
    > <Ym%We.30621$ua.299227@twister.southeast.rr.com>, base60 wrote:
    >
    >
    >>Moe Trin wrote:
    >
    >
    >>>China has no "Class As".
    >>
    >>Sorry, I use China interchangably with APNIC.
    >
    >
    > There's one heck of a large difference, as shown in my reply to
    > "matt_left_coast". But to answer that...

    Yes: korea, taiwan etc.

    >
    > [compton ~]$ cut -d' ' -f3 < IP.ADDR/stats/APNIC | sort | uniq -c | sort -n
    > +1 | column
    > 1 255.0.0.0 240 255.254.0.0 1095 255.255.0.0
    > 4 255.192.0.0 301 255.255.128.0 1118 255.255.240.0
    > 8 255.224.0.0 427 255.255.192.0 1177 255.255.254.0
    > 25 255.240.0.0 661 255.255.248.0 4190 255.255.255.0
    > 81 255.248.0.0 961 255.255.252.0
    > 138 255.252.0.0 1060 255.255.224.0
    > [compton ~]$ grep -E '255.(0|192).0.0' IP.ADDR/stats/APNIC
    > CN 59.192.0.0 255.192.0.0 allocated
    > JP 60.64.0.0 255.192.0.0 allocated
    > JP 126.0.0.0 255.0.0.0 allocated
    > JP 219.0.0.0 255.192.0.0 allocated
    > JP 220.0.0.0 255.192.0.0 allocated
    > [compton ~]$
    >
    > The "allocated" means that it has been assigned to a smaller IR (in this
    > case nic.ad.jp - the national registry for Japan and cnnic.net.cn - the
    > national registry for China) and that organization has allocated/assigned
    > chunks to ISPs and local IRs. Gone are the days when you could get a /8,
    > and APNIC is rather stingy handing out /9s and /10s it would seem.
    >
    >
    >>>Just how, exactly? I've just shown that IP blocks are assigned on what
    >>>amounts to be a random basis. Are you going to block on TLDs?
    >>
    >>Yes.
    >
    >
    > Both "matt_left_coast" and I have shown that to be impractical.

    Re-read the part below where I mention that our default was to
    deny all unless explicitly allowed etc.

    Given the manner in which we're using the tlds etc, I would
    disagree.

    Even if that were not the case, the restriction of blocks
    assigned to APNIC etc. in regards to ssh is unlikely to
    create a problem for anyone.

    >
    >
    >>Agreed, but please note that I said non-US based and, as you've
    >>noted, .com etc. do not fit that description. I'm referring to .jp etc.
    >
    >
    > So, whois Sony? Matsushita? NEC? Mazda? Toyota? I know it varies a
    > lot, but checks of my spam traps on the home firewall show Japan not even
    > in the top 10.

    The discussion is in reference to ssh.

    > Actually, I see ABOUT 38 percent of the stupid stuff comes
    > from the US (mainly zombies on cable nets), followed by China 11%, Korea
    > Canada and Brazil each with 6%, France with 3%, and so on. Even Taiwan
    > and Hong Kong have been pushed out of the top ten. And yes, I am in the
    > USA.

    Yes, I realize that. Prescott etc. Lovely area... probably why
    your computer is in need of an upgrade :)

    I would agree with the above more or less... we tend to get a lot of
    nigerian scams from Europe and a lot of porn from Columbia.

    > I don't run (or even have access) to the corporate firewall, but the
    > last time I asked, their results were broadly similar - main stuff from
    > cable zombies.
    >
    >
    >>Our default posture is to deny unless explicitly allowed. Using the
    >>TLDs etc. as filters is mostly to reduce the volume of IDS alerts.
    >
    >
    > WTF are they getting so far as to hit IDS??? Sounds like your firewall
    > isn't set well, and/or your "available services" needs work.

    Oh, I would completely agree :)

    The agency which is responsible for firewalls decided the best response
    to nimda was to pretty much disable them.

    It's gotten better since then, but our assumption is that all of our
    networks are compromised and proceed accordingly.

    >
    >
    >>If we do wrap someone out, they receive contact info and I find that
    >>legitimate people aren't shy about complaining.
    >
    >
    > If you are referring to mail, I don't handle the company stuff (that's
    > a corporate problem), but because we're multi-national, a lot of our
    > regional mail goes to regional offices direct. I know they are running
    > spam-assassin, but know little how it's configured.

    I meant for ssh.

    Spamassassin is typically installed under mimedefang which is plugged
    into sendmail as a milter. It just scans the inbound and returns a
    value to mimedefang. The mimedefang-filter (perl) compares that
    value to a configurable trigger and branches.

    You can handroll your own rules for SA, use http://www.rulesemporium.com
    or both.

    Good package... people using it typically grab clamav, too.

    >
    > If you are referring to web services,

    No, this was for ssh.

    > those are in DMZs within the
    > regions, and mainly run from read-only media. FTP downloads are similar.
    > We don't accept uploads. PERIOD.

    We have to.... unique IDs/passwords, chroot'd wu-ftpd with all shell
    access disabled and all uploaded files are pgp'd.

    A process on the server uses the private key to decrypt into an area
    outside of the jail.

  • Next message: matt_left_coast: "Re: Use iptables to block all non-US ssh traffic"