|
|
|
| |||||||||
![]() |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
|
|
|
Be the architects of evolution and help create the mobile internet future. It’s your move---enter to win here! |
|
#1
|
|||
|
|||
|
Blocking a range of IP's in hosts.deny
I am trying to get rid of people attacking my SSH server. I found a great site (http://www.okean.com) that will allow me to block certain IP address ranges. For example:
58.14.0.0 - 58.25.255.255 China 58.30.0.0 - 58.41.255.255 China 58.44.0.0 - 58.63.255.255 China 58.65.64.0 - 58.65.127.255 Korea 58.66.0.0 - 58.67.255.255 China 58.72.0.0 - 58.79.255.255 Korea 58.82.0.0 - 58.83.255.255 China How can I put this information into my hosts.deny file? Is hosts.deny able to read something like this?: ALL:58.14.0.0-58.25.255.255 I would appreciate any help that someone can get me on this. My only other option is to block IP's as I find them in my authlog. It is very time consuming, and if I can find a simpler way, that would be great. Bryan |
|
#2
|
|||
|
|||
|
Why not use the firewall for that?
|
|
#3
|
|||
|
|||
|
So, does that mean that it can't be done? I don't have the time to learn how to implement a secure firewall, I just want a down and dirty way to keep a$$holes off my SSH server.
A simple yes or no... clear and concise... That is all I ask. Bryan |
|
#4
|
|||
|
|||
|
I belive that it reads it like this:
58.14.0.0/58.25.255.255 But 58.25.255.255 should be a netmask. |
|
#6
|
||||
|
||||
|
Here's a quote from another forum:
Quote:
Here's the link Edit:Sorry, I didn't realise this was an old post |
|
#7
|
|||
|
|||
|
You could also change your SSH port as most of the hits you're seeing are from a worm, thats what I did.
|
|
#8
|
|||
|
|||
|
Quote:
Bryan, I used do this: ALL: 64.40.110.235, 203.92.89.13, 220.225.241.143, 203.196.154.176, 68.156.56.2, 198.111.63.159, 62.57.44.131, 64.236.205.69, 61.167.36.3, 217.15.97.41, 60.11.208.207, 81.177.26.27, mail-gateway.worksoft.com.cn, 203.86.78.88, etc. etc. but as you found out, it's easy to work your fingers to bloody stumps typing in all of those Chinese IP addresses. But have recently tried this: ALL: 121.0.16.0/20, 121.100.128.0/17, 121.16.0.0/12, 121.192.0.0/14, 121.201.0.0/16, 121.204.0.0/14, 121.224.0.0/12, 121.248.0.0/14, 121.32.0.0/13, 121.40.0.0/14, 121.4.0.0/15, 121.46.0.0/15, 121.48.0.0/15, 121.51.0.0/16, 121.55.0.0/18, 121.56.0.0/15, 121.58.0.0/17, 121.59.0.0/16, ...etc. The list of China IP addresses can be found in two places: http://www.blackholes.us/zones/countries/countries.rbl (this list also includes many other countries) also http://www.apnic.net/apnic-bin/ipv4...y.pl?country=cn A pretty decent description on tweaking the hosts.deny file can be found here: http://linux.about.com/od/commands/...dl5_hostsde.htm But what really helped me out was editing the /etc/ssh/sshd_config file and adding the following: # List of user names allowed to log in AllowUsers user1 user2 user3 user4 ... e.g., # List of user names allowed to log in AllowUsers sam kim bob mary pete I got rid of everyone except those accounts absolutely needing to log in. I even got rid of root, since most hack attempts are for that account and I can always su to root when I need to. I still get many brute-force attack attempts, but I know 99.9% of them are now on accounts that can't be logged in to. Hope that helps. |
|
#9
|
|||
|
|||
|
Blackholes is somewhat out of date, but you may want to download country blocks in raw format from http://www.ipdeny.com
Quote:
|
|
#10
|
|||
|
|||
|
58.14.0.0 - 58.25.255.255 China
58.14.0.0 is start IP 58.25.255.255 is end IP. Mostly, firewalls and packet filters accept IP prefixes, with their ranges and sizes, thus, in this case the IP prefix(-es) for the above block 58.14.0.0 - 58.25.255.255 will be: 58.14.0.0/15 58.16.0.0/13 58.24.0.0/15 MDH Quote:
|
|
#11
|
|||
|
|||
|
Typo & Correction
Please note there must be a comma after each /etc/hosts.deny entry and NO line feeds:
ALL: 121.0.16.0/20, 121.100.128.0/17, 121.16.0.0/12, 121.192.0.0/14, etc. Also, you can't put all IPs into one line, the script barfs and you can't log into your server. Here's what I did to fix this (feel free to copy this). Note it's now in 8 chunks preceeded by "ALL:": # Block China ALL: 121.0.16.0/20, 121.100.128.0/17, 121.16.0.0/12, 121.192.0.0/14, 121.201.0.0/16, 121.204.0.0/14, 121.224.0.0/12, 121.248.0.0/14, 121.32.0.0/13, 121.40.0.0/14, 121.4.0.0/15, 121.46.0.0/15, 121.48.0.0/15, 121.51.0.0/16, 121.55.0.0/18, 121.56.0.0/15, 121.58.0.0/17, 121.59.0.0/16, 121.60.0.0/14, 121.68.0.0/14, 121.76.0.0/15, 121.8.0.0/13, 121.89.0.0/16, 122.0.128.0/17, 122.0.64.0/18, 122.198.0.0/16, 122.200.64.0/18, 122.4.0.0/14, 122.48.0.0/16, 122.49.0.0/18, 122.51.0.0/16, 122.8.0.0/13, 123.199.128.0/17, 123.49.128.0/17, 123.99.128.0/17, 124.108.40.0/21, 124.108.8.0/21, 124.112.0.0/13, 124.128.0.0/13, 124.147.128.0/17, 124.156.0.0/16, 124.160.0.0/13, 124.16.0.0/15, 124.172.0.0/15, 124.192.0.0/15, 124.196.0.0/16, 124.200.0.0/13, 124.20.0.0/15, 124.220.0.0/14, 124.224.0.0/12, 124.240.0.0/17, 124.242.0.0/16, 124.243.192.0/18, 124.248.0.0/17, 124.249.0.0/16, 124.250.0.0/15 ALL: 124.254.0.0/18, 124.29.0.0/17, 124.40.128.0/18, 124.42.0.0/17, 124.47.0.0/18, 124.64.0.0/15, 124.66.0.0/17, 124.6.64.0/18, 124.67.0.0/16, 124.68.0.0/14, 124.72.0.0/13, 124.88.0.0/13, 125.104.0.0/13, 125.112.0.0/12, 125.171.0.0/16, 125.208.0.0/18, 125.210.0.0/16, 125.213.0.0/17, 125.215.0.0/18, 125.216.0.0/13, 125.254.128.0/18, 125.31.192.0/18, 125.32.0.0/12, 125.58.128.0/17, 125.62.0.0/18, 125.64.0.0/11, 125.96.0.0/15, 125.98.0.0/16, 134.196.0.0/16, 159.226.0.0/16, 161.207.0.0/16, 162.105.0.0/16, 166.111.0.0/16, 167.139.0.0/16, 168.160.0.0/16, 192.124.154.0/24, 192.188.170.0/24, 192.83.122.0/24, 192.83.169.0/24, 198.17.7.0/24, 202.0.110.0/24, 202.0.176.0/22, 202.10.64.0/20, 202.112.0.0/13, 202.120.0.0/15, 202.122.0.0/21, 202.122.112.0/21, 202.122.128.0/24, 202.122.32.0/21, 202.122.64.0/19, 202.123.96.0/20, 202.125.176.0/20, 202.127.0.0/21, 202.127.112.0/20, 202.127.12.0/22 ALL: 202.127.128.0/19, 202.127.160.0/21, 202.127.16.0/20, 202.127.192.0/20, 202.127.208.0/23, 202.127.212.0/22, 202.127.216.0/21, 202.127.224.0/19, 202.127.40.0/21, 202.127.48.0/20, 202.130.0.0/19, 202.130.224.0/19, 202.131.16.0/21, 202.131.208.0/20, 202.131.48.0/20, 202.136.208.0/20, 202.136.224.0/20, 202.136.252.0/22, 202.136.48.0/20, 202.141.160.0/19, 202.142.16.0/20, 202.14.235.0/24, 202.14.236.0/23, 202.14.238.0/24, 202.143.16.0/20, 202.14.88.0/24, 202.148.96.0/19, 202.149.160.0/19, 202.149.224.0/19, 202.150.16.0/20, 202.152.176.0/20, 202.153.48.0/20, 202.158.160.0/19, 202.160.176.0/20, 202.164.0.0/20, 202.165.176.0/20, 202.165.208.0/20, 202.165.96.0/20, 202.168.160.0/19, 202.170.128.0/19, 202.170.216.0/21, 202.173.224.0/19, 202.173.8.0/21, 202.179.240.0/20, 202.180.128.0/19, 202.181.112.0/20, 202.189.80.0/20, 202.192.0.0/12, 202.20.120.0/24, 202.22.248.0/21, 202.38.0.0/20 ALL: 202.38.128.0/21, 202.38.136.0/23, 202.38.138.0/24, 202.38.140.0/22, 202.38.146.0/23, 202.38.149.0/24, 202.38.150.0/23, 202.38.152.0/22, 202.38.156.0/24, 202.38.158.0/23, 202.38.160.0/23, 202.38.164.0/22, 202.38.168.0/21, 202.38.176.0/23, 202.38.184.0/21, 202.38.192.0/18, 202.38.64.0/18, 202.41.152.0/21, 202.41.240.0/20, 202.4.128.0/19, 202.4.252.0/22, 202.43.144.0/20, 202.46.224.0/20, 202.46.32.0/19, 202.60.112.0/20, 202.63.248.0/22, 202.69.16.0/20, 202.69.4.0/22, 202.70.0.0/19, 202.74.8.0/21, 202.75.208.0/20, 202.8.128.0/19, 202.85.208.0/20, 202.90.0.0/22, 202.90.224.0/20, 202.90.252.0/22, 202.91.0.0/22, 202.91.128.0/22, 202.91.176.0/20, 202.91.224.0/19, 202.92.0.0/22, 202.92.252.0/22, 202.93.0.0/22, 202.93.252.0/22, 202.94.0.0/19, 202.95.0.0/19, 202.95.252.0/22, 202.96.0.0/12, 203.100.192.0/20, 203.100.32.0/20, 203.100.80.0/20, 203.100.96.0/19, 203.110.160.0/19 ALL: 203.118.192.0/19, 203.119.24.0/21, 203.119.32.0/22, 203.128.128.0/19, 203.128.32.0/19, 203.128.96.0/19, 203.130.32.0/19, 203.132.32.0/19, 203.134.240.0/21, 203.135.160.0/20, 203.135.96.0/19, 203.148.0.0/18, 203.152.64.0/19, 203.156.192.0/18, 203.158.16.0/21, 203.161.192.0/19, 203.166.160.0/19, 203.171.224.0/20, 203.174.96.0/19, 203.175.128.0/19, 203.175.192.0/18, 203.176.168.0/21, 203.184.80.0/20, 203.187.160.0/19, 203.190.96.0/20, 203.191.144.0/20, 203.191.16.0/20, 203.191.64.0/18, 203.192.0.0/19, 203.196.0.0/21, 203.207.128.0/17, 203.207.64.0/18, 203.208.0.0/20, 203.208.16.0/22, 203.208.32.0/19, 203.209.224.0/19, 203.212.0.0/20, 203.212.80.0/20, 203.222.192.0/20, 203.222.42.64/26, 203.223.0.0/20, 203.79.0.0/20, 203.80.144.0/20, 203.81.16.0/20, 203.83.56.0/21, 203.86.0.0/18, 203.86.64.0/19, 203.88.192.0/19, 203.88.32.0/19, 203.89.0.0/22, 203.90.0.0/22, 203.90.128.0/18 ALL: 203.90.192.0/19, 203.91.120.0/21, 203.91.32.0/19, 203.91.96.0/20, 203.92.0.0/22, 203.92.160.0/19, 203.93.0.0/16, 203.94.0.0/19, 203.95.0.0/21, 203.95.96.0/19, 203.99.16.0/20, 203.99.80.0/20, 210.12.0.0/15, 210.14.128.0/17, 210.14.64.0/19, 210.15.0.0/17, 210.15.128.0/18, 210.16.128.0/18, 210.185.192.0/18, 210.192.96.0/19, 210.21.0.0/16, 210.22.0.0/16, 210.23.32.0/19, 210.25.0.0/16, 210.26.0.0/15, 210.28.0.0/14, 210.32.0.0/12, 210.5.0.0/19, 210.51.0.0/16, 210.5.128.0/19, 210.52.0.0/15, 210.56.192.0/19, 210.72.0.0/14, 210.76.0.0/15, 210.78.0.0/16, 210.79.224.0/19, 210.79.64.0/18, 210.82.0.0/15, 210.87.128.0/18, 211.136.0.0/13, 211.144.0.0/12, 211.160.0.0/13, 211.64.0.0/13, 211.80.0.0/12, 211.96.0.0/13, 218.0.0.0/11, 218.104.0.0/14, 218.108.0.0/15, 218.185.192.0/19, 218.192.0.0/12, 218.240.0.0/13, 218.249.0.0/16, 218.56.0.0/13, 218.64.0.0/11, 218.96.0.0/14, 219.128.0.0/11 ALL: 219.216.0.0/13, 219.224.0.0/12, 219.242.0.0/15, 219.244.0.0/14, 219.72.0.0/16, 219.82.0.0/16, 220.101.192.0/18, 220.112.0.0/14, 220.152.128.0/17, 220.154.0.0/15, 220.160.0.0/11, 220.192.0.0/12, 220.231.0.0/18, 220.231.128.0/17, 220.232.64.0/18, 220.234.0.0/16, 220.242.0.0/15, 220.248.0.0/14, 220.252.0.0/16, 221.0.0.0/13, 221.12.0.0/17, 221.12.128.0/18, 221.122.0.0/15, 221.129.0.0/16, 221.130.0.0/15, 221.13.0.0/16, 221.133.224.0/19, 221.136.0.0/15, 221.14.0.0/15, 221.172.0.0/14, 221.176.0.0/13, 221.192.0.0/14, 221.196.0.0/15, 221.198.0.0/16, 221.199.0.0/17, 221.199.128.0/18, 221.199.192.0/20, 221.199.224.0/19, 221.200.0.0/13, 221.208.0.0/12, 221.224.0.0/12, 221.8.0.0/14, 222.125.0.0/16, 222.126.128.0/17, 222.128.0.0/12, 222.160.0.0/14, 222.16.0.0/12, 222.168.0.0/13, 222.176.0.0/12, 222.192.0.0/11, 222.240.0.0/13, 222.248.0.0/15, 222.32.0.0/11, 222.64.0.0/11, 58.100.0.0/15 ALL: 58.116.0.0/14, 58.128.0.0/13, 58.14.0.0/15, 58.144.0.0/16, 58.154.0.0/15, 58.16.0.0/13, 58.192.0.0/11, 58.240.0.0/12, 58.24.0.0/15, 58.30.0.0/15, 58.32.0.0/11, 58.66.0.0/15, 58.82.0.0/15, 58.87.64.0/18, 59.107.0.0/16, 59.108.0.0/14, 59.151.0.0/17, 59.172.0.0/15, 59.191.0.0/17, 59.192.0.0/10, 59.32.0.0/11, 59.64.0.0/12, 59.80.0.0/14, 60.0.0.0/11, 60.160.0.0/11, 60.194.0.0/15, 60.200.0.0/13, 60.208.0.0/12, 60.232.0.0/15, 60.235.0.0/16, 60.245.128.0/17, 60.247.0.0/16, 60.253.128.0/17, 60.255.0.0/16, 60.55.0.0/16, 60.63.0.0/16, 61.128.0.0/10, 61.232.0.0/14, 61.236.0.0/15, 61.240.0.0/14, 61.28.0.0/17, 61.29.128.0/17, 61.45.128.0/18, 61.47.128.0/18, 61.48.0.0/13, 61.8.160.0/20, 61.87.192.0/18 |
|
#12
|
|||
|
|||
|
OK..the problem is that with the above hosts.deny entries, you will block every traffic to your server from the IPs you specified. The user asked to block just SSH traffic, thus, TCP port 22
![]() A good tool you can use to block country-specific users: http://blacklist.linuxadmin.org It allows to specify protocols (SSH for example) as well. MDH |
|
#13
|
|||
|
|||
|
Quote:
Nice solution! Better than my brute-force method (unless, of course, you just don't care ) |
|
#14
|
|||
|
|||
|
I know this is a old posting. Just wanted to post so others can see how to block everybody out of SSH.
You can block all SSH traffic in APF (Advanced Protection Firewall) by adding rules to: /etc/apf/deny_hosts.rules and /etc/apf/allow_hosts.rules This assumes that your SSH is on port 22 (which you should changed to a different port). This also will ONLY work if you're on a static IP address, as if your IP changes, you will be locked out of your own box. The first thing you want to do is ALWAYS allow your IP. So open /etc/apf/allow_hosts.rules ADD: Code:
tcp:in:d=22:s=YOUR IP ADDRESS out:d=22:d=YOUR IP ADDRESS tcp:in:d=22:s=YOUR DATA CENTER'S IP RANGE out:d=22:d=YOUR DATA CENTER'S IP RANGE Then let's lockout everyone else, so open /etc/apf/deny_hosts.rules ADD: Code:
tcp:in:d=22:s=0/0 out:d=22:d=0/0 Now restart APF with /etc/apf/apf -r That should lockout everyone but your IP and your data center's administration IP range. ![]() |