[nSLUG] Re: my system was cracked!
nslug at fop.ns.ca
Sun Jun 4 11:03:58 ADT 2006
On Sun, 4 Jun 2006, Luke Hickson wrote:
> One thing I do is routinly check for failed attempts manually from
> unknown ip addresses. Then block the whole range.
> an example I have in my setup:
> iptables -I banned 2 -s 220.127.116.11/24 -j REJECT
Part of 18.104.22.168/20 in India.
> iptables -I banned 3 -s 22.214.171.124/24 -j REJECT
Part of 126.96.36.199/16 in Israel.
> iptables -I banned 4 -s 188.8.131.52/24 -j REJECT
Part of 184.108.40.206/10 in the US (allocated to UUNet).
> iptables -I banned 5 -s 220.127.116.11/24 -j REJECT
Apparently unallocated, allocated by xo.com.
> iptables -I banned 6 -s 18.104.22.168/24 -j REJECT
Part of 22.214.171.124/16 in the US.
> iptables -I banned 7 -s 126.96.36.199/24 -j REJECT
Part of 188.8.131.52/13 in the US (allocated to Qwest).
> iptables -I banned 8 -s 184.108.40.206/24 -j REJECT
Part of 220.127.116.11/20 in the US (allocated to Cox).
> iptables -I banned 9 -s 18.104.22.168/24 -j REJECT
Part of 22.214.171.124/17 in the US (allocated to SBC).
I don't think these rules are doing what you think they do. Blocking
126.96.36.199/24 blocks IP addresses from 188.8.131.52 to 184.108.40.206. If you are
trying to block entire blocks, you need to check the appropriate whois
server. For example, 220.127.116.11/24 appears to be sub-allocated out to
assorted hosting services - I would guess it's a data centre somewhere. As
a result, you'll be unable to contact any webservers in that range. The
complete range is 18.104.22.168/17 which is 22.214.171.124 to 126.96.36.199.
If you *are* blocking ranges by /24, you would be better served
aggregating them to reduce the number of rules. iptables gets rather slow
when you have a lot of rules.
As I mentioned in my prior post, you can install portsentry and let it
automatically block anyone who tries to portscan you, rather than taking a
shotgun approach and deciding which netblocks you want to be able to talk
> Also I reject/drop any requests from certian geographical areas. Quick
> google search should help list some ip ranges.
This is a better idea, but bear in mind that you can still end up with
random sites mysteriously failing to work.
More information about the nSLUG