Blocking entire domains

Discussion in 'Linux Networking' started by James H. Markowitz, Apr 6, 2014.

  1. I keep getting breakin attempts from a variety of domains, the
    worst being hinet.net. I would therefore be interested in blocking all IP
    addresses in this domain with iptables rules. Is this possible? Looking
    into the actual addresses I notice that they seem to be all over the
    place, so iptables might not be the best solution here. Any ideas?
     
    James H. Markowitz, Apr 6, 2014
    #1
    1. Advertisements

  2. James H. Markowitz

    Keith Keller Guest

    An alternative, if your break-in attempts are on a service that supports
    tcpwrappers, is to make an entry into /etc/hosts.deny blocking all of
    the offending domain's hosts. Something like

    sshd: .offending.domain

    would block access to sshd, or

    ALL: .offending.domain

    would block access to all tcpwrapper-capable services.

    --keith
     
    Keith Keller, Apr 6, 2014
    #2
    1. Advertisements

  3. Thanks for your suggestion. What I had in mind was for sendmail,
    and after some googling I came across the surprisingly simple iptables
    incantation:

    iptables -I INPUT -p tcp --dport 25 -m string --string "Host:
    hinet.net" --algo bm -j DROP

    I haven't had any entries associated with hinet.net addresses in
    my sendmail log file ever since. Hopefully it is not just a coincidence.
     
    James H. Markowitz, Apr 6, 2014
    #3
  4. Hello,

    James H. Markowitz a écrit :
    Short answer : no. iptables doesn't know about domains.
    Of course this has nothing to do with your original request. I am
    surprised, AFAIK "Host:" string is not part of the SMTP protocol, but
    rather the HTTP protocol. Do the attackers try to speak HTTP to your
    SMTP server ? Also, beware of the side-effects : if this post had be
    transmitted by mail, your rule may have blocked it because it contains
    the string.
     
    Pascal Hambourg, Apr 6, 2014
    #4
  5. James H. Markowitz

    Moe Trin Guest

    On Mon, 7 Apr 2014, in the Usenet newsgroup comp.os.linux.networking, in
    "breakin attempts"? In the other part of this thread, you speak of
    sendmail, rather than SSH, telnet, FTP, web server or what-ever.

    Hinet is the telephone company in Taiwan and thus one of the largest
    ISPs there. Last I bothered to look, they had over 40 IPv4 blocks
    scattered from 1.x.x.x to 220.x.x.x.

    If you must have your servers accepting incoming connections to all
    135875 network blocks allocated by the five Regional Internet Registries
    (AfriNIC, APNIC, ARIN, LACNIC and RIPE), you're getting into the "Self
    Denial of Service Attack" zone, where what ever you do is going to cost
    you a lot of CPU cycles, or is going to have a bunch of false positives,
    or both. Your "-m string" rule is a good example of both problems.

    Blocking domains - best done with Wietse Venema's old "TCP Wrapper"
    program (version 7.6 was last updated ~17 years ago). It depends on the
    offending host having a IP->hostname lookup (DNS PTR record), which
    isn't always the case. It can also block by IP range, but isn't as
    versatile as a full-blown firewall.

    If all you are concerned about is "sendmail", look at the documentation
    of the various milters you can run as part of sendmail. The newsgroup
    comp.mail.sendmail would be a good place to start.
    The problem with that is that there is a huge number of network blocks
    allocated/assigned, and the IP registries did not allocate or assign
    those blocks in a manner conducive to blocking. Using 60.x.x.x as an
    example, APNIC assigned that /8 in 83 blocks to eleven countries: AU,
    CN, ID, IN, JP, KP, MO, MY, NZ, TW and US. (Know your ISO-3166 country
    codes?)
    Good luck. If we're going to use APNIC as an example, that RIR has
    issued blocks to registrants claiming to be in the following countries:

    AF BT GU KI MN NF PG TK VU
    AP CK HK KP MO NL PH TL WF
    AS CN ID KR MP NP PK TO WS
    AT DE IN LA MU NR PW TV
    AU FJ IO LK MV NU SB TW
    BD FM JP MH MY NZ SG US
    BN GB KH MM NC PF TH VN

    Lessee, AT is Austria, AU is Australia, DE is Germany, GB is England,
    AP is the whole Asia/Pacific region... yeah, real selective that.
    Depending on where you WANT to offer services, it may be easier to just
    "ALLOW" certain blocks, and let the default BLOCK or DROP rule handle
    the rest. Or you can try to block each of the 577 IPv4 blocks assigned
    to Taiwan (but don't forget the 76 IPv6 blocks assigned there also) and
    so on. That is better than using a log reader like Blockhosts,
    BruteForceBlocker, Denyhosts, Fail2ban or SSHguard that tries to block
    one IP address at a time (as of Mar 15, 2014, there were 3549161880 or
    about 3.55 billion IPv4 addresses allocated/assigned by the five RIRs).

    Old guy
     
    Moe Trin, Apr 7, 2014
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.