[nSLUG] Re: my system was cracked!

Dop Ganger nslug at fop.ns.ca
Sun Jun 4 11:03:58 ADT 2006


On Sun, 4 Jun 2006, Luke Hickson wrote:

> One thing I do is routinly check for failed attempts manually from
> unknown ip addresses. Then block the whole range.
>
> an example I have in my setup:
>
> iptables -I banned 2 -s 61.0.0.0/24 -j REJECT

Part of 61.0.0.0/20 in India.

> iptables -I banned 3 -s 62.0.0.0/24 -j REJECT

Part of 62.0.0.0/16 in Israel.

> iptables -I banned 4 -s 63.0.0.0/24 -j REJECT

Part of 63.0.0.0/10 in the US (allocated to UUNet).

> iptables -I banned 5 -s 64.0.0.0/24 -j REJECT

Apparently unallocated, allocated by xo.com.

> iptables -I banned 6 -s 66.0.0.0/24 -j REJECT

Part of 66.0.0.0/16 in the US.

> iptables -I banned 7 -s 67.0.0.0/24 -j REJECT

Part of 67.0.0.0/13 in the US (allocated to Qwest).

> iptables -I banned 8 -s 68.0.0.0/24 -j REJECT

Part of 68.0.0.0/20 in the US (allocated to Cox).

> iptables -I banned 9 -s 69.0.0.0/24 -j REJECT

Part of 69.0.0.0/17 in the US (allocated to SBC).

I don't think these rules are doing what you think they do. Blocking 
69.0.0.0/24 blocks IP addresses from 69.0.0.0 to 69.0.0.255. If you are 
trying to block entire blocks, you need to check the appropriate whois 
server. For example, 69.0.0.0/24 appears to be sub-allocated out to 
assorted hosting services - I would guess it's a data centre somewhere. As 
a result, you'll be unable to contact any webservers in that range. The 
complete range is 69.0.0.0/17 which is 69.0.0.0 to 69.0.127.255.

If you *are* blocking ranges by /24, you would be better served 
aggregating them to reduce the number of rules. iptables gets rather slow 
when you have a lot of rules.

As I mentioned in my prior post, you can install portsentry and let it 
automatically block anyone who tries to portscan you, rather than taking a 
shotgun approach and deciding which netblocks you want to be able to talk 
to.

> Also I reject/drop any requests from certian geographical areas. Quick
> google search should help list some ip ranges.

This is a better idea, but bear in mind that you can still end up with 
random sites mysteriously failing to work.

Cheers... Dop.

!DSPAM:4482e859213687224512463!




More information about the nSLUG mailing list