Michael P. Brininstool
mikepb at hoplite.org
Fri Jul 28 23:08:48 UTC 2006
HA! I TOP-POSTED!!!! So SHOOT ME!
>>>> I know that the preferred way of controlling access is to use
>>>> whitelists, but for my case I'd like to use IP blacklisting.
>>> At some point it affects performance. There are some workarounds.
>>> What problem are you trying to solve? What causes you to block an IP?
>I second the suggestion about running SSHD on a different port. It's
>removed all my script kiddie attacks. See /etc/ssh/sshd_config to enable.
Moving ssh to a different port seems to be the easiest way, but eventually
the scripts find the new port and start whacking it instead -- iptables
blocking is IMNSHO, a "better way" -- in that they can be logged -- useful
when you call in the feds. (Of course honeypots are even better....)
This is what I have done to block over 2400 ip blocks with no performance
hit measurable. Of course, I whitelist some very common blocks first, so
they avoid any delays, and most everyone else SHOULD be blocked so a delay I
care not about. Snippets only...
-A INPUT -i eth1 -d MY.EXTERNAL.IP -j ext_in
-A ext_in -p tcp -m tcp --dport 22 -j sshblock
-A sshblock -s G.0.0.D/I.P.BLCK.1 -j ACCEPT
-A sshblock -s G.0.0.D/I.P.BLCK.2 -j ACCEPT
-A sshblock -s 0.0.0.0/192.0.0.0 -j sshblock0
-A sshblock -s 18.104.22.168/192.0.0.0 -j sshblock64
-A sshblock -s 22.214.171.124/192.0.0.0 -j sshblock128
-A sshblock -s 192.0.0.0/126.96.36.199 -j sshblock192
-A sshblock -s 188.8.131.52/184.108.40.206 -j sshdrop
-A sshblock -j ACCEPT
sshblock0 gets addresses in 0.0.0.0 through 220.127.116.11
sshblock64 gets addresses in 18.104.22.168 through 127.255.255.255
sshblock128 gets addresses in 22.214.171.124 through 126.96.36.199
sshblock192 gets addresses in 192.0.0.0 through 188.8.131.52
184.108.40.206 through 255.255.255.255 goes to sshdrop (which logs as
"DROPPED_SSH_PACKET " and drops)
To help performance even further, the SYN flag can be added to the check for
port 22 above, provided a "RELATED,ESTABLISHED" line exists in the same
I forgot the URL, but there is a site that has a database of IP block
assignments. I periodically go to that site and download the blocks for
countries I NEVER want to receive email or ssh connections from, like CN,
KR, MY, VN, FR, TW, BR, etc, and add them to the sshblock and smtpblock
More information about the users