[XCSSA] [SATLUG] testing?
X-otic Computer Systems of San Antonio
xcssa at xcssa.org
Sun Aug 30 00:25:56 CDT 2009
On Saturday 29 August 2009 10:53:05 am X-otic Computer Systems of San Antonio
wrote:
> I don't know if this is what you are talking about, but I found a site
> that gives you a script to add netblocks to your iptables to drop
> packets from the China and Korea netblocks.
> www.okean.com/antispam/iptables/iptables.html
That's one way to do it.. but you can have more country per country level
control with this tool:
http://ip.ludost.net/
and just script it. You would want to automate this, since netblocks change
all the time (and new IP blocks get pulled from bogo blocks too). I think
most people set theirs up to do monthly updates.
> I tried looking at it just now and there's no response, so I'm wondering
> if they are being attacked.
Yeah.. might be a good reason to just go directly to the IANA links with your
script(s):
http://www.iana.org/assignments/ipv4-address-space/
BTW.. I think that much have this has now been automated. check out this
stuff:
http://www.linuxquestions.org/questions/linux-security-4/use-geoip-database-file-with-iptables-676700/
and these guy's country/IP file service:
http://www.maxmind.com/download/geoip/database/
Gotta get some sleep now.. :)
Tweeks
> Tom King
>
> X-otic Computer Systems of San Antonio wrote:
> > On Friday 28 August 2009 12:16:34 am Bruce Dubbs wrote:
> > [...]
> >
> >>> Yeah.. Bruce has been known to block entire class-A blocks with
> >>> iptables because he doens't like your ISP's nationality... hehe..
> >>
> >> Not exactly right. It is because of behavior from clients of ISPs in
> >> some places. Besides, its continents, not countries. e.g. RIPE, APNIC,
> >> AfriNIC, LACNIC.
> >> http://www.iana.org/assignments/ipv4-address-space/
> >
> > Those groups of /8 blocks are assigned to the continental registries yes
> > Bruce, but the individual /8 blocks are then broken up and divvied out to
> > the various countries in that region.
> >
> > But to keep things educational... (cross posting to XCSSA)...
> > For those interested in this stuff, a good way to block entire countries
> > is by doing ISO country code-->IP-block lookups, as you can do from here:
> > http://ip.ludost.net/
> >
> > And the block very specific "seedy" parts of the nets (where all the bot
> > nets, scans and phishing spam comes from). For example.. look up the IP
> > blocks for ru ko cn and iptable block those sources on specific (or
> > blanket) ip blocks.. like this:
> > -A INPUT --source $IP-BLOCK-1 -p tcp -m tcp --dport 25 -j REJECT
> > -A INPUT --source $IP-BLOCK-1 -p tcp -m tcp --dport 22 -j REJECT
> > -A INPUT --source $IP-BLOCK-1 -p tcp -m tcp --dport 80 -j REJECT
> > -A INPUT --source $IP-BLOCK-2 -p tcp -m tcp --dport 25 -j REJECT
> > -A INPUT --source $IP-BLOCK-2 -p tcp -m tcp --dport 22 -j REJECT
> > -A INPUT --source $IP-BLOCK-2 -p tcp -m tcp --dport 80 -j REJECT
> > ...
> > -A INPUT --source $IP-BLOCK-56 -p tcp -m tcp --dport 25 -j REJECT
> > -A INPUT --source $IP-BLOCK-56 -p tcp -m tcp --dport 22 -j REJECT
> > -A INPUT --source $IP-BLOCK-56 -p tcp -m tcp --dport 80 -j REJECT
> >
> > etc.. OR the "cool kid" way is to install and run the iptables kernel
> > support (and related files) for "geoip" for doing IP blocking based on
> > specific country codes, and then do it like THIS:
> > -A INPUT -p tcp --dport 25 -m geoip --src-cc CN,RU,KO -j REJECT
> > -A INPUT -p tcp --dport 22 -m geoip --src-cc CN,RU,KO -j REJECT
> > -A INPUT -p tcp --dport 80 -m geoip --src-cc CN,RU,KO -j REJECT
> >
> > Fun stuff...
> >
> > Anyone running a setup like this.. or a tarpit?
> >
> > If so.. please share. :)
> >
> > Tweeks
> > _______________________________________________
> > XCSSA mailing list
> > XCSSA at xcssa.org
> > http://xcssa.org/mailman/listinfo/xcssa
>
> _______________________________________________
> XCSSA mailing list
> XCSSA at xcssa.org
> http://xcssa.org/mailman/listinfo/xcssa
More information about the XCSSA
mailing list