[nSLUG] Re: my system was cracked!

Dop Ganger nslug at fop.ns.ca
Sun Jun 4 11:03:58 ADT 2006

On Sun, 4 Jun 2006, Luke Hickson wrote:

> One thing I do is routinly check for failed attempts manually from
> unknown ip addresses. Then block the whole range.
> an example I have in my setup:
> iptables -I banned 2 -s -j REJECT

Part of in India.

> iptables -I banned 3 -s -j REJECT

Part of in Israel.

> iptables -I banned 4 -s -j REJECT

Part of in the US (allocated to UUNet).

> iptables -I banned 5 -s -j REJECT

Apparently unallocated, allocated by xo.com.

> iptables -I banned 6 -s -j REJECT

Part of in the US.

> iptables -I banned 7 -s -j REJECT

Part of in the US (allocated to Qwest).

> iptables -I banned 8 -s -j REJECT

Part of in the US (allocated to Cox).

> iptables -I banned 9 -s -j REJECT

Part of in the US (allocated to SBC).

I don't think these rules are doing what you think they do. Blocking blocks IP addresses from to If you are 
trying to block entire blocks, you need to check the appropriate whois 
server. For example, appears to be sub-allocated out to 
assorted hosting services - I would guess it's a data centre somewhere. As 
a result, you'll be unable to contact any webservers in that range. The 
complete range is which is to

If you *are* blocking ranges by /24, you would be better served 
aggregating them to reduce the number of rules. iptables gets rather slow 
when you have a lot of rules.

As I mentioned in my prior post, you can install portsentry and let it 
automatically block anyone who tries to portscan you, rather than taking a 
shotgun approach and deciding which netblocks you want to be able to talk 

> Also I reject/drop any requests from certian geographical areas. Quick
> google search should help list some ip ranges.

This is a better idea, but bear in mind that you can still end up with 
random sites mysteriously failing to work.

Cheers... Dop.


More information about the nSLUG mailing list