Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2006
    Posts
    3
    Rep Power
    0

    Blocking a range of IP's in hosts.deny


    I am trying to get rid of people attacking my SSH server. I found a great site (http://www.okean.com) that will allow me to block certain IP address ranges. For example:

    58.14.0.0 - 58.25.255.255 China
    58.30.0.0 - 58.41.255.255 China
    58.44.0.0 - 58.63.255.255 China
    58.65.64.0 - 58.65.127.255 Korea
    58.66.0.0 - 58.67.255.255 China
    58.72.0.0 - 58.79.255.255 Korea
    58.82.0.0 - 58.83.255.255 China


    How can I put this information into my hosts.deny file?

    Is hosts.deny able to read something like this?:

    ALL:58.14.0.0-58.25.255.255


    I would appreciate any help that someone can get me on this. My only other option is to block IP's as I find them in my authlog. It is very time consuming, and if I can find a simpler way, that would be great.

    Bryan
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Posts
    296
    Rep Power
    0
    Why not use the firewall for that?
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2006
    Posts
    3
    Rep Power
    0
    So, does that mean that it can't be done? I don't have the time to learn how to implement a secure firewall, I just want a down and dirty way to keep a$$holes off my SSH server.

    A simple yes or no... clear and concise... That is all I ask.

    Bryan
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2003
    Posts
    42
    Rep Power
    11
    I belive that it reads it like this:

    58.14.0.0/58.25.255.255

    But 58.25.255.255 should be a netmask.
  8. #5
  9. blah
    Devshed Novice (500 - 999 posts)

    Join Date
    Nov 2003
    Location
    Scotland
    Posts
    630
    Rep Power
    106
    Here's a quote from another forum:

    not 100% sure if sshd even respects /etc/hosts.deny... also didn't use it for years... the way to handle this kind of stuff is to:
    - install apf firewall
    - apf -d IP will ban this IP permanently
    Here's the link
  10. #6
  11. blah
    Devshed Novice (500 - 999 posts)

    Join Date
    Nov 2003
    Location
    Scotland
    Posts
    630
    Rep Power
    106
    Here's a quote from another forum:

    not 100% sure if sshd even respects /etc/hosts.deny... also didn't use it for years... the way to handle this kind of stuff is to:
    - install apf firewall
    - apf -d IP will ban this IP permanently
    Here's the link

    Edit:Sorry, I didn't realise this was an old post
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2004
    Location
    0xFFFFFF
    Posts
    66
    Rep Power
    13
    You could also change your SSH port as most of the hits you're seeing are from a worm, thats what I did.
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2006
    Posts
    5
    Rep Power
    0
    Originally Posted by brakeb
    I am trying to get rid of people attacking my SSH server. I found a great site (http://www.okean.com) that will allow me to block certain IP address ranges. For example:

    58.14.0.0 - 58.25.255.255 China
    58.30.0.0 - 58.41.255.255 China
    58.44.0.0 - 58.63.255.255 China
    58.65.64.0 - 58.65.127.255 Korea
    58.66.0.0 - 58.67.255.255 China
    58.72.0.0 - 58.79.255.255 Korea
    58.82.0.0 - 58.83.255.255 China


    How can I put this information into my hosts.deny file?
    Bryan,

    I used do this:

    ALL: 64.40.110.235, 203.92.89.13, 220.225.241.143, 203.196.154.176, 68.156.56.2, 198.111.63.159, 62.57.44.131, 64.236.205.69, 61.167.36.3, 217.15.97.41, 60.11.208.207, 81.177.26.27, mail-gateway.worksoft.com.cn, 203.86.78.88, etc. etc.

    but as you found out, it's easy to work your fingers to bloody stumps typing in all of those Chinese IP addresses.

    But have recently tried this:

    ALL:
    121.0.16.0/20,
    121.100.128.0/17,
    121.16.0.0/12,
    121.192.0.0/14,
    121.201.0.0/16,
    121.204.0.0/14,
    121.224.0.0/12,
    121.248.0.0/14,
    121.32.0.0/13,
    121.40.0.0/14,
    121.4.0.0/15,
    121.46.0.0/15,
    121.48.0.0/15,
    121.51.0.0/16,
    121.55.0.0/18,
    121.56.0.0/15,
    121.58.0.0/17,
    121.59.0.0/16,
    ...etc.

    The list of China IP addresses can be found in two places:
    http://www.blackholes.us/zones/countries/countries.rbl (this list also includes many other countries)
    also
    http://www.apnic.net/apnic-bin/ipv4-....pl?country=cn

    A pretty decent description on tweaking the hosts.deny file can be found here:
    http://linux.about.com/od/commands/l...l5_hostsde.htm


    But what really helped me out was editing the /etc/ssh/sshd_config file and adding the following:

    # List of user names allowed to log in
    AllowUsers user1 user2 user3 user4 ...

    e.g.,
    # List of user names allowed to log in
    AllowUsers sam kim bob mary pete

    I got rid of everyone except those accounts absolutely needing to log in. I even got rid of root, since most hack attempts are for that account and I can always su to root when I need to.

    I still get many brute-force attack attempts, but I know 99.9% of them are now on accounts that can't be logged in to.

    Hope that helps.
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2002
    Posts
    16
    Rep Power
    0
    Blackholes is somewhat out of date, but you may want to download country blocks in raw format from http://www.ipdeny.com








    Originally Posted by Escondido
    Bryan,

    I used do this:

    ALL: 64.40.110.235, 203.92.89.13, 220.225.241.143, 203.196.154.176, 68.156.56.2, 198.111.63.159, 62.57.44.131, 64.236.205.69, 61.167.36.3, 217.15.97.41, 60.11.208.207, 81.177.26.27, mail-gateway.worksoft.com.cn, 203.86.78.88, etc. etc.

    but as you found out, it's easy to work your fingers to bloody stumps typing in all of those Chinese IP addresses.

    But have recently tried this:

    ALL:
    121.0.16.0/20
    121.100.128.0/17
    121.16.0.0/12
    121.192.0.0/14
    121.201.0.0/16
    121.204.0.0/14
    121.224.0.0/12
    121.248.0.0/14
    121.32.0.0/13
    121.40.0.0/14
    121.4.0.0/15
    121.46.0.0/15
    121.48.0.0/15
    121.51.0.0/16
    121.55.0.0/18
    121.56.0.0/15
    121.58.0.0/17
    121.59.0.0/16
    ...etc.

    The list of China IP addresses can be found in two places:
    http://www.blackholes.us/zones/countries/countries.rbl (this list also includes many other countries)
    also
    http://www.apnic.net/apnic-bin/ipv4-....pl?country=cn

    A pretty decent description on tweaking the hosts.deny file can be found here:
    http://linux.about.com/od/commands/l...l5_hostsde.htm


    But what really helped me out was editing the /etc/ssh/sshd_config file and adding the following:

    # List of user names allowed to log in
    AllowUsers user1 user2 user3 user4 ...

    e.g.,
    # List of user names allowed to log in
    AllowUsers sam kim bob mary pete

    I got rid of everyone except those accounts absolutely needing to log in. I even got rid of root, since most hack attempts are for that account and I can always su to root when I need to.

    I still get many brute-force attack attempts, but I know 99.9% of them are now on accounts that can't be logged in to.

    Hope that helps.
  18. #10
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2002
    Posts
    16
    Rep Power
    0
    58.14.0.0 - 58.25.255.255 China

    58.14.0.0 is start IP
    58.25.255.255 is end IP.

    Mostly, firewalls and packet filters accept IP prefixes, with their ranges and sizes, thus, in this case the IP prefix(-es) for the above block 58.14.0.0 - 58.25.255.255 will be:


    58.14.0.0/15
    58.16.0.0/13
    58.24.0.0/15



    MDH


    Originally Posted by brakeb
    I am trying to get rid of people attacking my SSH server. I found a great site (http://www.okean.com) that will allow me to block certain IP address ranges. For example:

    58.14.0.0 - 58.25.255.255 China
    58.30.0.0 - 58.41.255.255 China
    58.44.0.0 - 58.63.255.255 China
    58.65.64.0 - 58.65.127.255 Korea
    58.66.0.0 - 58.67.255.255 China
    58.72.0.0 - 58.79.255.255 Korea
    58.82.0.0 - 58.83.255.255 China


    How can I put this information into my hosts.deny file?

    Is hosts.deny able to read something like this?:

    ALL:58.14.0.0-58.25.255.255


    I would appreciate any help that someone can get me on this. My only other option is to block IP's as I find them in my authlog. It is very time consuming, and if I can find a simpler way, that would be great.

    Bryan
  20. #11
  21. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2006
    Posts
    5
    Rep Power
    0

    Typo & Correction


    Please note there must be a comma after each /etc/hosts.deny entry and NO line feeds:

    ALL: 121.0.16.0/20, 121.100.128.0/17, 121.16.0.0/12, 121.192.0.0/14, etc.

    Also, you can't put all IPs into one line, the script barfs and you can't log into your server.


    Here's what I did to fix this (feel free to copy this). Note it's now in 8 chunks preceeded by "ALL:":

    # Block China
    ALL: 121.0.16.0/20, 121.100.128.0/17, 121.16.0.0/12, 121.192.0.0/14, 121.201.0.0/16, 121.204.0.0/14, 121.224.0.0/12, 121.248.0.0/14, 121.32.0.0/13, 121.40.0.0/14, 121.4.0.0/15, 121.46.0.0/15, 121.48.0.0/15, 121.51.0.0/16, 121.55.0.0/18, 121.56.0.0/15, 121.58.0.0/17, 121.59.0.0/16, 121.60.0.0/14, 121.68.0.0/14, 121.76.0.0/15, 121.8.0.0/13, 121.89.0.0/16, 122.0.128.0/17, 122.0.64.0/18, 122.198.0.0/16, 122.200.64.0/18, 122.4.0.0/14, 122.48.0.0/16, 122.49.0.0/18, 122.51.0.0/16, 122.8.0.0/13, 123.199.128.0/17, 123.49.128.0/17, 123.99.128.0/17, 124.108.40.0/21, 124.108.8.0/21, 124.112.0.0/13, 124.128.0.0/13, 124.147.128.0/17, 124.156.0.0/16, 124.160.0.0/13, 124.16.0.0/15, 124.172.0.0/15, 124.192.0.0/15, 124.196.0.0/16, 124.200.0.0/13, 124.20.0.0/15, 124.220.0.0/14, 124.224.0.0/12, 124.240.0.0/17, 124.242.0.0/16, 124.243.192.0/18, 124.248.0.0/17, 124.249.0.0/16, 124.250.0.0/15
    ALL: 124.254.0.0/18, 124.29.0.0/17, 124.40.128.0/18, 124.42.0.0/17, 124.47.0.0/18, 124.64.0.0/15, 124.66.0.0/17, 124.6.64.0/18, 124.67.0.0/16, 124.68.0.0/14, 124.72.0.0/13, 124.88.0.0/13, 125.104.0.0/13, 125.112.0.0/12, 125.171.0.0/16, 125.208.0.0/18, 125.210.0.0/16, 125.213.0.0/17, 125.215.0.0/18, 125.216.0.0/13, 125.254.128.0/18, 125.31.192.0/18, 125.32.0.0/12, 125.58.128.0/17, 125.62.0.0/18, 125.64.0.0/11, 125.96.0.0/15, 125.98.0.0/16, 134.196.0.0/16, 159.226.0.0/16, 161.207.0.0/16, 162.105.0.0/16, 166.111.0.0/16, 167.139.0.0/16, 168.160.0.0/16, 192.124.154.0/24, 192.188.170.0/24, 192.83.122.0/24, 192.83.169.0/24, 198.17.7.0/24, 202.0.110.0/24, 202.0.176.0/22, 202.10.64.0/20, 202.112.0.0/13, 202.120.0.0/15, 202.122.0.0/21, 202.122.112.0/21, 202.122.128.0/24, 202.122.32.0/21, 202.122.64.0/19, 202.123.96.0/20, 202.125.176.0/20, 202.127.0.0/21, 202.127.112.0/20, 202.127.12.0/22
    ALL: 202.127.128.0/19, 202.127.160.0/21, 202.127.16.0/20, 202.127.192.0/20, 202.127.208.0/23, 202.127.212.0/22, 202.127.216.0/21, 202.127.224.0/19, 202.127.40.0/21, 202.127.48.0/20, 202.130.0.0/19, 202.130.224.0/19, 202.131.16.0/21, 202.131.208.0/20, 202.131.48.0/20, 202.136.208.0/20, 202.136.224.0/20, 202.136.252.0/22, 202.136.48.0/20, 202.141.160.0/19, 202.142.16.0/20, 202.14.235.0/24, 202.14.236.0/23, 202.14.238.0/24, 202.143.16.0/20, 202.14.88.0/24, 202.148.96.0/19, 202.149.160.0/19, 202.149.224.0/19, 202.150.16.0/20, 202.152.176.0/20, 202.153.48.0/20, 202.158.160.0/19, 202.160.176.0/20, 202.164.0.0/20, 202.165.176.0/20, 202.165.208.0/20, 202.165.96.0/20, 202.168.160.0/19, 202.170.128.0/19, 202.170.216.0/21, 202.173.224.0/19, 202.173.8.0/21, 202.179.240.0/20, 202.180.128.0/19, 202.181.112.0/20, 202.189.80.0/20, 202.192.0.0/12, 202.20.120.0/24, 202.22.248.0/21, 202.38.0.0/20
    ALL: 202.38.128.0/21, 202.38.136.0/23, 202.38.138.0/24, 202.38.140.0/22, 202.38.146.0/23, 202.38.149.0/24, 202.38.150.0/23, 202.38.152.0/22, 202.38.156.0/24, 202.38.158.0/23, 202.38.160.0/23, 202.38.164.0/22, 202.38.168.0/21, 202.38.176.0/23, 202.38.184.0/21, 202.38.192.0/18, 202.38.64.0/18, 202.41.152.0/21, 202.41.240.0/20, 202.4.128.0/19, 202.4.252.0/22, 202.43.144.0/20, 202.46.224.0/20, 202.46.32.0/19, 202.60.112.0/20, 202.63.248.0/22, 202.69.16.0/20, 202.69.4.0/22, 202.70.0.0/19, 202.74.8.0/21, 202.75.208.0/20, 202.8.128.0/19, 202.85.208.0/20, 202.90.0.0/22, 202.90.224.0/20, 202.90.252.0/22, 202.91.0.0/22, 202.91.128.0/22, 202.91.176.0/20, 202.91.224.0/19, 202.92.0.0/22, 202.92.252.0/22, 202.93.0.0/22, 202.93.252.0/22, 202.94.0.0/19, 202.95.0.0/19, 202.95.252.0/22, 202.96.0.0/12, 203.100.192.0/20, 203.100.32.0/20, 203.100.80.0/20, 203.100.96.0/19, 203.110.160.0/19
    ALL: 203.118.192.0/19, 203.119.24.0/21, 203.119.32.0/22, 203.128.128.0/19, 203.128.32.0/19, 203.128.96.0/19, 203.130.32.0/19, 203.132.32.0/19, 203.134.240.0/21, 203.135.160.0/20, 203.135.96.0/19, 203.148.0.0/18, 203.152.64.0/19, 203.156.192.0/18, 203.158.16.0/21, 203.161.192.0/19, 203.166.160.0/19, 203.171.224.0/20, 203.174.96.0/19, 203.175.128.0/19, 203.175.192.0/18, 203.176.168.0/21, 203.184.80.0/20, 203.187.160.0/19, 203.190.96.0/20, 203.191.144.0/20, 203.191.16.0/20, 203.191.64.0/18, 203.192.0.0/19, 203.196.0.0/21, 203.207.128.0/17, 203.207.64.0/18, 203.208.0.0/20, 203.208.16.0/22, 203.208.32.0/19, 203.209.224.0/19, 203.212.0.0/20, 203.212.80.0/20, 203.222.192.0/20, 203.222.42.64/26, 203.223.0.0/20, 203.79.0.0/20, 203.80.144.0/20, 203.81.16.0/20, 203.83.56.0/21, 203.86.0.0/18, 203.86.64.0/19, 203.88.192.0/19, 203.88.32.0/19, 203.89.0.0/22, 203.90.0.0/22, 203.90.128.0/18
    ALL: 203.90.192.0/19, 203.91.120.0/21, 203.91.32.0/19, 203.91.96.0/20, 203.92.0.0/22, 203.92.160.0/19, 203.93.0.0/16, 203.94.0.0/19, 203.95.0.0/21, 203.95.96.0/19, 203.99.16.0/20, 203.99.80.0/20, 210.12.0.0/15, 210.14.128.0/17, 210.14.64.0/19, 210.15.0.0/17, 210.15.128.0/18, 210.16.128.0/18, 210.185.192.0/18, 210.192.96.0/19, 210.21.0.0/16, 210.22.0.0/16, 210.23.32.0/19, 210.25.0.0/16, 210.26.0.0/15, 210.28.0.0/14, 210.32.0.0/12, 210.5.0.0/19, 210.51.0.0/16, 210.5.128.0/19, 210.52.0.0/15, 210.56.192.0/19, 210.72.0.0/14, 210.76.0.0/15, 210.78.0.0/16, 210.79.224.0/19, 210.79.64.0/18, 210.82.0.0/15, 210.87.128.0/18, 211.136.0.0/13, 211.144.0.0/12, 211.160.0.0/13, 211.64.0.0/13, 211.80.0.0/12, 211.96.0.0/13, 218.0.0.0/11, 218.104.0.0/14, 218.108.0.0/15, 218.185.192.0/19, 218.192.0.0/12, 218.240.0.0/13, 218.249.0.0/16, 218.56.0.0/13, 218.64.0.0/11, 218.96.0.0/14, 219.128.0.0/11
    ALL: 219.216.0.0/13, 219.224.0.0/12, 219.242.0.0/15, 219.244.0.0/14, 219.72.0.0/16, 219.82.0.0/16, 220.101.192.0/18, 220.112.0.0/14, 220.152.128.0/17, 220.154.0.0/15, 220.160.0.0/11, 220.192.0.0/12, 220.231.0.0/18, 220.231.128.0/17, 220.232.64.0/18, 220.234.0.0/16, 220.242.0.0/15, 220.248.0.0/14, 220.252.0.0/16, 221.0.0.0/13, 221.12.0.0/17, 221.12.128.0/18, 221.122.0.0/15, 221.129.0.0/16, 221.130.0.0/15, 221.13.0.0/16, 221.133.224.0/19, 221.136.0.0/15, 221.14.0.0/15, 221.172.0.0/14, 221.176.0.0/13, 221.192.0.0/14, 221.196.0.0/15, 221.198.0.0/16, 221.199.0.0/17, 221.199.128.0/18, 221.199.192.0/20, 221.199.224.0/19, 221.200.0.0/13, 221.208.0.0/12, 221.224.0.0/12, 221.8.0.0/14, 222.125.0.0/16, 222.126.128.0/17, 222.128.0.0/12, 222.160.0.0/14, 222.16.0.0/12, 222.168.0.0/13, 222.176.0.0/12, 222.192.0.0/11, 222.240.0.0/13, 222.248.0.0/15, 222.32.0.0/11, 222.64.0.0/11, 58.100.0.0/15
    ALL: 58.116.0.0/14, 58.128.0.0/13, 58.14.0.0/15, 58.144.0.0/16, 58.154.0.0/15, 58.16.0.0/13, 58.192.0.0/11, 58.240.0.0/12, 58.24.0.0/15, 58.30.0.0/15, 58.32.0.0/11, 58.66.0.0/15, 58.82.0.0/15, 58.87.64.0/18, 59.107.0.0/16, 59.108.0.0/14, 59.151.0.0/17, 59.172.0.0/15, 59.191.0.0/17, 59.192.0.0/10, 59.32.0.0/11, 59.64.0.0/12, 59.80.0.0/14, 60.0.0.0/11, 60.160.0.0/11, 60.194.0.0/15, 60.200.0.0/13, 60.208.0.0/12, 60.232.0.0/15, 60.235.0.0/16, 60.245.128.0/17, 60.247.0.0/16, 60.253.128.0/17, 60.255.0.0/16, 60.55.0.0/16, 60.63.0.0/16, 61.128.0.0/10, 61.232.0.0/14, 61.236.0.0/15, 61.240.0.0/14, 61.28.0.0/17, 61.29.128.0/17, 61.45.128.0/18, 61.47.128.0/18, 61.48.0.0/13, 61.8.160.0/20, 61.87.192.0/18
  22. #12
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2002
    Posts
    16
    Rep Power
    0
    OK..the problem is that with the above hosts.deny entries, you will block every traffic to your server from the IPs you specified. The user asked to block just SSH traffic, thus, TCP port 22

    A good tool you can use to block country-specific users:

    http://blacklist.linuxadmin.org

    It allows to specify protocols (SSH for example) as well.

    MDH
  24. #13
  25. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2006
    Posts
    5
    Rep Power
    0
    Originally Posted by hostingdude
    OK..the problem is that with the above hosts.deny entries, you will block every traffic to your server from the IPs you specified. The user asked to block just SSH traffic, thus, TCP port 22

    A good tool you can use to block country-specific users:

    http://blacklist.linuxadmin.org

    It allows to specify protocols (SSH for example) as well.

    MDH

    Nice solution! Better than my brute-force method (unless, of course, you just don't care )
  26. #14
  27. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2004
    Posts
    142
    Rep Power
    10
    I know this is a old posting. Just wanted to post so others can see how to block everybody out of SSH.

    You can block all SSH traffic in APF (Advanced Protection Firewall) by adding rules to:
    /etc/apf/deny_hosts.rules
    and
    /etc/apf/allow_hosts.rules

    This assumes that your SSH is on port 22 (which you should changed to a different port).

    This also will ONLY work if you're on a static IP address, as if your IP changes, you will be locked out of your own box.

    The first thing you want to do is ALWAYS allow your IP.
    So open /etc/apf/allow_hosts.rules

    ADD:
    Code:
    tcp:in:d=22:s=YOUR IP ADDRESS
    out:d=22:d=YOUR IP ADDRESS
    tcp:in:d=22:s=YOUR DATA CENTER'S IP RANGE
    out:d=22:d=YOUR DATA CENTER'S IP RANGE
    Then let's lockout everyone else, so open /etc/apf/deny_hosts.rules

    ADD:
    Code:
    tcp:in:d=22:s=0/0
    out:d=22:d=0/0
    Now restart APF with /etc/apf/apf -r

    That should lockout everyone but your IP and your data center's administration IP range.
  28. #15
  29. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2007
    Posts
    1
    Rep Power
    0

    Spam blocks and ssh attacks


    The original poster, or one of them, was looking to stop ssh attacks. You might want to take a look at sshblack (see: (URL address blocked: See forum rules)) which will do all this automatically so you don't have to do it manually.

    And if you are looking for China/Korea blocks you can find a list of them at (URL address blocked: See forum rules) or the more current: (URL address blocked: See forum rules)

    Stilt
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo