Blocking a range of IP's in hosts.deny

I am trying to get rid of people attacking my SSH server. I found a great site (http://www.okean.com) that will allow me to block certain IP address ranges. For example:

58.14.0.0 - 58.25.255.255 China
58.30.0.0 - 58.41.255.255 China
58.44.0.0 - 58.63.255.255 China
58.65.64.0 - 58.65.127.255 Korea
58.66.0.0 - 58.67.255.255 China
58.72.0.0 - 58.79.255.255 Korea
58.82.0.0 - 58.83.255.255 China


How can I put this information into my hosts.deny file?

Is hosts.deny able to read something like this?:

ALL:58.14.0.0-58.25.255.255


I would appreciate any help that someone can get me on this. My only other option is to block IP's as I find them in my authlog. It is very time consuming, and if I can find a simpler way, that would be great.

Bryan

Why not use the firewall for that?

So, does that mean that it can't be done? I don't have the time to learn how to implement a secure firewall, I just want a down and dirty way to keep a$$holes off my SSH server.

A simple yes or no... clear and concise... That is all I ask.

Bryan

I belive that it reads it like this:

58.14.0.0/58.25.255.255

But 58.25.255.255 should be a netmask.

Here's a quote from another forum:



Here's the link

Here's a quote from another forum:



Here's the link

Edit:Sorry, I didn't realise this was an old post

You could also change your SSH port as most of the hits you're seeing are from a worm, thats what I did.

Bryan,

I used do this:

ALL: 64.40.110.235, 203.92.89.13, 220.225.241.143, 203.196.154.176, 68.156.56.2, 198.111.63.159, 62.57.44.131, 64.236.205.69, 61.167.36.3, 217.15.97.41, 60.11.208.207, 81.177.26.27, mail-gateway.worksoft.com.cn, 203.86.78.88, etc. etc.

but as you found out, it's easy to work your fingers to bloody stumps typing in all of those Chinese IP addresses.

But have recently tried this:

ALL:
121.0.16.0/20,
121.100.128.0/17,
121.16.0.0/12,
121.192.0.0/14,
121.201.0.0/16,
121.204.0.0/14,
121.224.0.0/12,
121.248.0.0/14,
121.32.0.0/13,
121.40.0.0/14,
121.4.0.0/15,
121.46.0.0/15,
121.48.0.0/15,
121.51.0.0/16,
121.55.0.0/18,
121.56.0.0/15,
121.58.0.0/17,
121.59.0.0/16,
...etc.

The list of China IP addresses can be found in two places:
http://www.blackholes.us/zones/countries/countries.rbl (this list also includes many other countries)
also
http://www.apnic.net/apnic-bin/ipv4...y.pl?country=cn

A pretty decent description on tweaking the hosts.deny file can be found here:
http://linux.about.com/od/commands/...dl5_hostsde.htm


But what really helped me out was editing the /etc/ssh/sshd_config file and adding the following:

# List of user names allowed to log in
AllowUsers user1 user2 user3 user4 ...

e.g.,
# List of user names allowed to log in
AllowUsers sam kim bob mary pete

I got rid of everyone except those accounts absolutely needing to log in. I even got rid of root, since most hack attempts are for that account and I can always su to root when I need to.

I still get many brute-force attack attempts, but I know 99.9% of them are now on accounts that can't be logged in to.

Hope that helps.

Blackholes is somewhat out of date, but you may want to download country blocks in raw format from http://www.ipdeny.com

58.14.0.0 - 58.25.255.255 China

58.14.0.0 is start IP
58.25.255.255 is end IP.

Mostly, firewalls and packet filters accept IP prefixes, with their ranges and sizes, thus, in this case the IP prefix(-es) for the above block 58.14.0.0 - 58.25.255.255 will be:


58.14.0.0/15
58.16.0.0/13
58.24.0.0/15



MDH

Please note there must be a comma after each /etc/hosts.deny entry and NO line feeds:

ALL: 121.0.16.0/20, 121.100.128.0/17, 121.16.0.0/12, 121.192.0.0/14, etc.

Also, you can't put all IPs into one line, the script barfs and you can't log into your server.


Here's what I did to fix this (feel free to copy this). Note it's now in 8 chunks preceeded by "ALL:":

# Block China
ALL: 121.0.16.0/20, 121.100.128.0/17, 121.16.0.0/12, 121.192.0.0/14, 121.201.0.0/16, 121.204.0.0/14, 121.224.0.0/12, 121.248.0.0/14, 121.32.0.0/13, 121.40.0.0/14, 121.4.0.0/15, 121.46.0.0/15, 121.48.0.0/15, 121.51.0.0/16, 121.55.0.0/18, 121.56.0.0/15, 121.58.0.0/17, 121.59.0.0/16, 121.60.0.0/14, 121.68.0.0/14, 121.76.0.0/15, 121.8.0.0/13, 121.89.0.0/16, 122.0.128.0/17, 122.0.64.0/18, 122.198.0.0/16, 122.200.64.0/18, 122.4.0.0/14, 122.48.0.0/16, 122.49.0.0/18, 122.51.0.0/16, 122.8.0.0/13, 123.199.128.0/17, 123.49.128.0/17, 123.99.128.0/17, 124.108.40.0/21, 124.108.8.0/21, 124.112.0.0/13, 124.128.0.0/13, 124.147.128.0/17, 124.156.0.0/16, 124.160.0.0/13, 124.16.0.0/15, 124.172.0.0/15, 124.192.0.0/15, 124.196.0.0/16, 124.200.0.0/13, 124.20.0.0/15, 124.220.0.0/14, 124.224.0.0/12, 124.240.0.0/17, 124.242.0.0/16, 124.243.192.0/18, 124.248.0.0/17, 124.249.0.0/16, 124.250.0.0/15
ALL: 124.254.0.0/18, 124.29.0.0/17, 124.40.128.0/18, 124.42.0.0/17, 124.47.0.0/18, 124.64.0.0/15, 124.66.0.0/17, 124.6.64.0/18, 124.67.0.0/16, 124.68.0.0/14, 124.72.0.0/13, 124.88.0.0/13, 125.104.0.0/13, 125.112.0.0/12, 125.171.0.0/16, 125.208.0.0/18, 125.210.0.0/16, 125.213.0.0/17, 125.215.0.0/18, 125.216.0.0/13, 125.254.128.0/18, 125.31.192.0/18, 125.32.0.0/12, 125.58.128.0/17, 125.62.0.0/18, 125.64.0.0/11, 125.96.0.0/15, 125.98.0.0/16, 134.196.0.0/16, 159.226.0.0/16, 161.207.0.0/16, 162.105.0.0/16, 166.111.0.0/16, 167.139.0.0/16, 168.160.0.0/16, 192.124.154.0/24, 192.188.170.0/24, 192.83.122.0/24, 192.83.169.0/24, 198.17.7.0/24, 202.0.110.0/24, 202.0.176.0/22, 202.10.64.0/20, 202.112.0.0/13, 202.120.0.0/15, 202.122.0.0/21, 202.122.112.0/21, 202.122.128.0/24, 202.122.32.0/21, 202.122.64.0/19, 202.123.96.0/20, 202.125.176.0/20, 202.127.0.0/21, 202.127.112.0/20, 202.127.12.0/22
ALL: 202.127.128.0/19, 202.127.160.0/21, 202.127.16.0/20, 202.127.192.0/20, 202.127.208.0/23, 202.127.212.0/22, 202.127.216.0/21, 202.127.224.0/19, 202.127.40.0/21, 202.127.48.0/20, 202.130.0.0/19, 202.130.224.0/19, 202.131.16.0/21, 202.131.208.0/20, 202.131.48.0/20, 202.136.208.0/20, 202.136.224.0/20, 202.136.252.0/22, 202.136.48.0/20, 202.141.160.0/19, 202.142.16.0/20, 202.14.235.0/24, 202.14.236.0/23, 202.14.238.0/24, 202.143.16.0/20, 202.14.88.0/24, 202.148.96.0/19, 202.149.160.0/19, 202.149.224.0/19, 202.150.16.0/20, 202.152.176.0/20, 202.153.48.0/20, 202.158.160.0/19, 202.160.176.0/20, 202.164.0.0/20, 202.165.176.0/20, 202.165.208.0/20, 202.165.96.0/20, 202.168.160.0/19, 202.170.128.0/19, 202.170.216.0/21, 202.173.224.0/19, 202.173.8.0/21, 202.179.240.0/20, 202.180.128.0/19, 202.181.112.0/20, 202.189.80.0/20, 202.192.0.0/12, 202.20.120.0/24, 202.22.248.0/21, 202.38.0.0/20
ALL: 202.38.128.0/21, 202.38.136.0/23, 202.38.138.0/24, 202.38.140.0/22, 202.38.146.0/23, 202.38.149.0/24, 202.38.150.0/23, 202.38.152.0/22, 202.38.156.0/24, 202.38.158.0/23, 202.38.160.0/23, 202.38.164.0/22, 202.38.168.0/21, 202.38.176.0/23, 202.38.184.0/21, 202.38.192.0/18, 202.38.64.0/18, 202.41.152.0/21, 202.41.240.0/20, 202.4.128.0/19, 202.4.252.0/22, 202.43.144.0/20, 202.46.224.0/20, 202.46.32.0/19, 202.60.112.0/20, 202.63.248.0/22, 202.69.16.0/20, 202.69.4.0/22, 202.70.0.0/19, 202.74.8.0/21, 202.75.208.0/20, 202.8.128.0/19, 202.85.208.0/20, 202.90.0.0/22, 202.90.224.0/20, 202.90.252.0/22, 202.91.0.0/22, 202.91.128.0/22, 202.91.176.0/20, 202.91.224.0/19, 202.92.0.0/22, 202.92.252.0/22, 202.93.0.0/22, 202.93.252.0/22, 202.94.0.0/19, 202.95.0.0/19, 202.95.252.0/22, 202.96.0.0/12, 203.100.192.0/20, 203.100.32.0/20, 203.100.80.0/20, 203.100.96.0/19, 203.110.160.0/19
ALL: 203.118.192.0/19, 203.119.24.0/21, 203.119.32.0/22, 203.128.128.0/19, 203.128.32.0/19, 203.128.96.0/19, 203.130.32.0/19, 203.132.32.0/19, 203.134.240.0/21, 203.135.160.0/20, 203.135.96.0/19, 203.148.0.0/18, 203.152.64.0/19, 203.156.192.0/18, 203.158.16.0/21, 203.161.192.0/19, 203.166.160.0/19, 203.171.224.0/20, 203.174.96.0/19, 203.175.128.0/19, 203.175.192.0/18, 203.176.168.0/21, 203.184.80.0/20, 203.187.160.0/19, 203.190.96.0/20, 203.191.144.0/20, 203.191.16.0/20, 203.191.64.0/18, 203.192.0.0/19, 203.196.0.0/21, 203.207.128.0/17, 203.207.64.0/18, 203.208.0.0/20, 203.208.16.0/22, 203.208.32.0/19, 203.209.224.0/19, 203.212.0.0/20, 203.212.80.0/20, 203.222.192.0/20, 203.222.42.64/26, 203.223.0.0/20, 203.79.0.0/20, 203.80.144.0/20, 203.81.16.0/20, 203.83.56.0/21, 203.86.0.0/18, 203.86.64.0/19, 203.88.192.0/19, 203.88.32.0/19, 203.89.0.0/22, 203.90.0.0/22, 203.90.128.0/18
ALL: 203.90.192.0/19, 203.91.120.0/21, 203.91.32.0/19, 203.91.96.0/20, 203.92.0.0/22, 203.92.160.0/19, 203.93.0.0/16, 203.94.0.0/19, 203.95.0.0/21, 203.95.96.0/19, 203.99.16.0/20, 203.99.80.0/20, 210.12.0.0/15, 210.14.128.0/17, 210.14.64.0/19, 210.15.0.0/17, 210.15.128.0/18, 210.16.128.0/18, 210.185.192.0/18, 210.192.96.0/19, 210.21.0.0/16, 210.22.0.0/16, 210.23.32.0/19, 210.25.0.0/16, 210.26.0.0/15, 210.28.0.0/14, 210.32.0.0/12, 210.5.0.0/19, 210.51.0.0/16, 210.5.128.0/19, 210.52.0.0/15, 210.56.192.0/19, 210.72.0.0/14, 210.76.0.0/15, 210.78.0.0/16, 210.79.224.0/19, 210.79.64.0/18, 210.82.0.0/15, 210.87.128.0/18, 211.136.0.0/13, 211.144.0.0/12, 211.160.0.0/13, 211.64.0.0/13, 211.80.0.0/12, 211.96.0.0/13, 218.0.0.0/11, 218.104.0.0/14, 218.108.0.0/15, 218.185.192.0/19, 218.192.0.0/12, 218.240.0.0/13, 218.249.0.0/16, 218.56.0.0/13, 218.64.0.0/11, 218.96.0.0/14, 219.128.0.0/11
ALL: 219.216.0.0/13, 219.224.0.0/12, 219.242.0.0/15, 219.244.0.0/14, 219.72.0.0/16, 219.82.0.0/16, 220.101.192.0/18, 220.112.0.0/14, 220.152.128.0/17, 220.154.0.0/15, 220.160.0.0/11, 220.192.0.0/12, 220.231.0.0/18, 220.231.128.0/17, 220.232.64.0/18, 220.234.0.0/16, 220.242.0.0/15, 220.248.0.0/14, 220.252.0.0/16, 221.0.0.0/13, 221.12.0.0/17, 221.12.128.0/18, 221.122.0.0/15, 221.129.0.0/16, 221.130.0.0/15, 221.13.0.0/16, 221.133.224.0/19, 221.136.0.0/15, 221.14.0.0/15, 221.172.0.0/14, 221.176.0.0/13, 221.192.0.0/14, 221.196.0.0/15, 221.198.0.0/16, 221.199.0.0/17, 221.199.128.0/18, 221.199.192.0/20, 221.199.224.0/19, 221.200.0.0/13, 221.208.0.0/12, 221.224.0.0/12, 221.8.0.0/14, 222.125.0.0/16, 222.126.128.0/17, 222.128.0.0/12, 222.160.0.0/14, 222.16.0.0/12, 222.168.0.0/13, 222.176.0.0/12, 222.192.0.0/11, 222.240.0.0/13, 222.248.0.0/15, 222.32.0.0/11, 222.64.0.0/11, 58.100.0.0/15
ALL: 58.116.0.0/14, 58.128.0.0/13, 58.14.0.0/15, 58.144.0.0/16, 58.154.0.0/15, 58.16.0.0/13, 58.192.0.0/11, 58.240.0.0/12, 58.24.0.0/15, 58.30.0.0/15, 58.32.0.0/11, 58.66.0.0/15, 58.82.0.0/15, 58.87.64.0/18, 59.107.0.0/16, 59.108.0.0/14, 59.151.0.0/17, 59.172.0.0/15, 59.191.0.0/17, 59.192.0.0/10, 59.32.0.0/11, 59.64.0.0/12, 59.80.0.0/14, 60.0.0.0/11, 60.160.0.0/11, 60.194.0.0/15, 60.200.0.0/13, 60.208.0.0/12, 60.232.0.0/15, 60.235.0.0/16, 60.245.128.0/17, 60.247.0.0/16, 60.253.128.0/17, 60.255.0.0/16, 60.55.0.0/16, 60.63.0.0/16, 61.128.0.0/10, 61.232.0.0/14, 61.236.0.0/15, 61.240.0.0/14, 61.28.0.0/17, 61.29.128.0/17, 61.45.128.0/18, 61.47.128.0/18, 61.48.0.0/13, 61.8.160.0/20, 61.87.192.0/18

OK..the problem is that with the above hosts.deny entries, you will block every traffic to your server from the IPs you specified. The user asked to block just SSH traffic, thus, TCP port 22

A good tool you can use to block country-specific users:

http://blacklist.linuxadmin.org

It allows to specify protocols (SSH for example) as well.

MDH

Nice solution! Better than my brute-force method (unless, of course, you just don't care )

I know this is a old posting. Just wanted to post so others can see how to block everybody out of SSH.

You can block all SSH traffic in APF (Advanced Protection Firewall) by adding rules to:
/etc/apf/deny_hosts.rules
and
/etc/apf/allow_hosts.rules

This assumes that your SSH is on port 22 (which you should changed to a different port).

This also will ONLY work if you're on a static IP address, as if your IP changes, you will be locked out of your own box.

The first thing you want to do is ALWAYS allow your IP.
So open /etc/apf/allow_hosts.rules

ADD:


Then let's lockout everyone else, so open /etc/apf/deny_hosts.rules

ADD:


Now restart APF with /etc/apf/apf -r

That should lockout everyone but your IP and your data center's administration IP range.

The original poster, or one of them, was looking to stop ssh attacks. You might want to take a look at sshblack (see: (URL address blocked: See forum rules)) which will do all this automatically so you don't have to do it manually.

And if you are looking for China/Korea blocks you can find a list of them at (URL address blocked: See forum rules) or the more current: (URL address blocked: See forum rules)

Stilt