Re: Use iptables to block all non-US ssh traffic

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 09/20/05 

Date: Tue, 20 Sep 2005 14:28:24 -0500

In the Usenet newsgroup comp.os.linux.security, in article
<dgmoql$kl2$1@news.tamu.edu>, Chris Barnes wrote:

>Frankly, I wouldn't care a wit if some of the blocked addresses are used
>in the US. What matters is where *MY USERS* might be coming from. That
>is a finite number and even for "world traveler physics professors", the
>list isn't all that exhaustive.

That's a whole different kettle of fish, and is _relatively_ easier. First,
have every person you expect to connect remotely (I'm assuming predominently
from home), and look at the addresses in the headers. Look _those_ addresses
up at ARIN - lather, rinse, repeat.

>cox-internet.com

  24.56.0.0 - 24.56.63.255 24.234.0.0 - 24.234.255.255
  24.248.0.0 - 24.255.255.255 64.58.128.0 - 64.58.191.255
  66.210.0.0 - 66.210.255.255 68.0.0.0 - 68.15.255.255
  68.96.0.0 - 68.111.255.255 68.224.0.0 - 68.231.255.255
  70.160.0.0 - 70.191.255.255 216.54.0.0 - 216.54.127.255

WARNING: List is far from complete

>verizon.net

They're not local to me - can't help. They have quite a few blocks.

>(and these only because they are the 2 high speed internent providers in
>our little town)

But if you check, you'll probably find they are not the only one your
users are using. I get the "last mile" from QWorst (local phone franchise),
but my DSL (and addresses) comes from a completely different provider.

>The rest all going to be predominately either US .edu sites, or US gov
>research facilities (fermi lab, etc).

Those are relatively easy - the problem is that it's possibly these won't
be the only addresses used.

Also, neither Cox or Verizon are noted as being squeaky clean. You'll
find your share of skript kiddiez and zombies there too.

>If I end up blocking some local isp in Caper, WY, that's probably a good
>thing.

Not as good as blocking Comcast - they're pounding on me at the moment.

        Old guy

Loading