Script Blocks ALL APNIC IPs

jmcguirl

Veteran Member
Joined
Dec 3, 2010
Messages
28
Reaction score
0
It seems like 99% of my hits for fail2ban come from IPs in ASIA. I have no need or reason for anyone from that entire continent to talk to my PIAF servers. So I did a little research...

I found APNIC's webpage that lists all the ranges allocated by APNIC.

Then I created two VERY simple scripts, one to block APNIC IPs and one to undo the first script. I just run them as root on each new PIAF box I build.

Please tell me what ya think about this. Am I missing something or is it good AS-IS?

The APNIC BLOCK Script
Code:
#!/bin/bash
/sbin/iptables  -N      BLACKLIST
/sbin/iptables  -I      INPUT           -j      BLACKLIST
/sbin/iptables  -A      BLACKLIST       -s      1.0.0.0/8       -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      14.0.0.0/8      -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      27.0.0.0/8      -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      36.0.0.0/8      -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      39.0.0.0/8      -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      42.0.0.0/8      -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      49.0.0.0/8      -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      58.0.0.0/8      -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      59.0.0.0/8      -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      60.0.0.0/8      -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      61.0.0.0/8      -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      101.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      103.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      106.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      110.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      111.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      112.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      113.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      114.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      115.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      116.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      117.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      118.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      119.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      120.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      121.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      122.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      123.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      124.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      125.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      126.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      169.208.0.0/12  -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      175.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      180.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      182.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      183.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      202.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      203.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      210.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      211.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      218.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      219.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      220.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      221.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      222.0.0.0/8     -j      DROP
/sbin/iptables  -A      BLACKLIST       -s      223.0.0.0/8     -j      DROP

and The APNIC BLOCK "UNDO" Script
Code:
#!/bin/bash
/sbin/iptables  -D      INPUT           -j      BLACKLIST
/sbin/iptables  -D      BLACKLIST       -s      1.0.0.0/8       -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      14.0.0.0/8      -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      27.0.0.0/8      -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      36.0.0.0/8      -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      39.0.0.0/8      -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      42.0.0.0/8      -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      49.0.0.0/8      -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      58.0.0.0/8      -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      59.0.0.0/8      -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      60.0.0.0/8      -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      61.0.0.0/8      -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      101.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      103.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      106.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      110.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      111.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      112.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      113.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      114.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      115.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      116.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      117.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      118.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      119.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      120.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      121.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      122.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      123.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      124.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      125.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      126.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      169.208.0.0/12  -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      175.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      180.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      182.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      183.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      202.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      203.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      210.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      211.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      218.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      219.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      220.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      221.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      222.0.0.0/8     -j      DROP
/sbin/iptables  -D      BLACKLIST       -s      223.0.0.0/8     -j      DROP
/sbin/iptables  -X      BLACKLIST
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Niiiiiiiiiiiiiiiice. Just be aware that without an iptables save, these all disappear when the server or IPtables is restarted.
 
Joined
Jun 29, 2009
Messages
258
Reaction score
0
This is a great concept!

When I followed the link to APNIC it made me wonder if there was something similar for other areas of the world. It turns out there are, and they are called regional Internet registries. And over all of them is the Internet Assigned Numbers Authority.

So let's say you are in North America and there is no reason that anyone outside of North America should be connecting to your system. You could go to the IP Address Space Allocated to ARIN page and whitelist all the IP blocks on that page, and deny everything else, but that would also prohibit connections from certain multinational corporations and legacy networks (including, for example, Level 3 Communications, Inc., which you might not want to block if you're seriously into VoIP :wink5:). You'd only discover those by looking in the IANA IPv4 Address Space Registry list.

Now, if only there were a way to narrow this down to certain ISP's and states I'd be happy, but at the same time I think I've only very rarely seen a hack attempt from within North America (I could probably count the number on one hand).
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Before the advent of bots and zombies, this might have been a great idea. Now I view it as next to worthless. Whitelists secure your system if you restrict the entries to IP addresses of known providers, servers, and remote extensions. Blacklists offer little to no protection! Think of it as a jail full of felons. Does any jail protect your house from future burglaries? :reddevil:
 
Joined
Jun 29, 2009
Messages
258
Reaction score
0
I understand your point, Ward, but I don't think you fully appreciate that some of us have users whose IP address changes on almost a weekly basis (DSL users - ugh!). Maybe you've had a large problem with bots and zombies, but so far virtually every attack attempt I have seen has come from outside the United States. You're thinking in terms of the absolute worst that can happen and if I were responsible for someone else's system, I suppose I would too. But this is for my own system and since even a bot or zombie would have to crack my very secure passwords (which would take them years unless they get extremely lucky), to me the ability to whitelist a particular state/ISP combination would be hugely advantageous in not inconveniencing my handful of users (all family and friends, and the majority not at all technically oriented).

Plus, and this is not a small point, the idea of a regional/ISP based whitelist is something even I can understand. I see a lot of firewall techniques and they invariably involve advanced features of iptables, like chains and such, which may seem perfectly clear to networking gurus, but which are not at all clear to me. Usually if I try to implement one of those techniques, I'm either not certain that it's working at all, or it becomes so restrictive that even desirable traffic can't get in.

Different strokes, as they say...
 

peivoip

Member
Joined
Jun 13, 2008
Messages
117
Reaction score
0
Niiiiiiiiiiiiiiiice. Just be aware that without an iptables save, these all disappear when the server or IPtables is restarted.

trying to run iptables save, but I'm getting "Bad argument `save'"

When I do iptables -h there is no save option.

Is there something else I can do ?
 

jmullinix

Guru
Joined
Oct 21, 2007
Messages
1,263
Reaction score
7
I am inclined to agree with Ward on this. I am not as fortunate as MichiganTelephone. I have had several sip attacks from within the US. I have been assaulted from virtual machines from all over the US and colleges seem to like this stuff. I had one attack come from Carnegie Melon of all places. Their response to my e-mail was almost immediate, by the way and they resolved the problem within hours.

I don't think whitelists or blacklists are going to be the solution. To me, network security is an ongoing process of blacklists, software updates, intrusion detection and mitigation and reading logs. It gets easy to scan logs after a while and an anomaly will jump out at you.

Just my $.02 worth.
 

randy7376

Defnyddiwr Gweithredol
Joined
Sep 29, 2010
Messages
864
Reaction score
144
peivoip

Try...
Code:
iptables-save
or
Code:
/etc/init.d/iptables save
The latter will save iptables settings to /etc/sysconfig/iptables.save
 

blanchae

Guru
Joined
Mar 12, 2008
Messages
1,910
Reaction score
9
The discussion between blacklist vs. whitelist goes like this:

1. Blacklist: you need a big blacklist that will need constant updating. The blacklist will need to be constantly updated as new hackers are identified. Hackers are in control of the blacklist as its dependant on which IPs they are going to use next. It puts a load on your firewall to have to run through the list and check for "bad" IP addresses. You may inadvertently block good calls. Eventually, your blacklist will include every IP address on the planet. Blacklists are after the fact security. It follows the security practice of block everything that is bad and with the assumption that anything remaining must be good.

2. Whitelist: you need a small list of known good IP addresses. Firewall just checks small list. Everything else is blocked from connecting. Anonymous Incoming calls without a valid extension goes to the IVR or are dropped. Basically easier to maintain and you are in control of who is on the whitelist. Whitelist is before the fact security. It follows standard firewall security, allow only what you want through and block everything else which is way more secure than the blacklist premise.
 

mbellot

Active Member
Joined
Dec 15, 2008
Messages
404
Reaction score
185
Correct, but white list assumes you can pinpoint all the "good guys" all the time.

Not easy to do without some additional mucking around if you have users whose IP address changes regularly.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Very true. And we've discussed alternatives for those folks. Set them up on something like voip.ms and then make a secure IAX connection between voip.ms and your server. Or get them a sip2sip.net address and go from there.

Bottom Line: It's your server... and your phone bill. :wink5:
 

jmcguirl

Veteran Member
Joined
Dec 3, 2010
Messages
28
Reaction score
0
John,

I think you are absolutely right! White-Black listing is not a solution by itself and never will be. I just find it interesting to see the amount of ip traffic hitting my machines.

PS See ya at the AAUG on the 16th.

Here is the relevant portion of the output of "iptables -L -v" on one of my machines.

Code:
Chain INPUT (policy DROP 78857 packets, 8726K bytes)
 pkts bytes target     prot opt in     out     source               destination
 155M  [B] 93G[/B] BLACKLIST  all  --  any    any     anywhere             anywhere

Chain BLACKLIST (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     1.0.0.0/8            anywhere
    0     0 DROP       all  --  any    any     14.0.0.0/8           anywhere
    3   144 DROP       all  --  any    any     27.0.0.0/8           anywhere
    0     0 DROP       all  --  any    any     36.0.0.0/8           anywhere
    0     0 DROP       all  --  any    any     39.0.0.0/8           anywhere
    0     0 DROP       all  --  any    any     42.0.0.0/8           anywhere
    0     0 DROP       all  --  any    any     49.0.0.0/8           anywhere
   17   854 DROP       all  --  any    any     ppp-net.infoweb.ne.jp/8  anywhere
    9   460 DROP       all  --  any    any     59.0.0.0/8           anywhere
   28  1220 DROP       all  --  any    any     60.0.0.0/8           anywhere
   25  1158 DROP       all  --  any    any     61.0.0.0/8           anywhere
    0     0 DROP       all  --  any    any     101.0.0.0/8          anywhere
    0     0 DROP       all  --  any    any     103.0.0.0/8          anywhere
    0     0 DROP       all  --  any    any     106.0.0.0/8          anywhere
    3   120 DROP       all  --  any    any     110.0.0.0/8          anywhere
    5   220 DROP       all  --  any    any     111.0.0.0/8          anywhere
    4   168 DROP       all  --  any    any     112.0.0.0/8          anywhere
    4   184 DROP       all  --  any    any     113.0.0.0/8          anywhere
   10   472 DROP       all  --  any    any     114.0.0.0/8          anywhere
    2   486 DROP       all  --  any    any     115.0.0.0/8          anywhere
    1    40 DROP       all  --  any    any     116.0.0.0/8          anywhere
    0     0 DROP       all  --  any    any     localhost/8          anywhere
   27  1352 DROP       all  --  any    any     118.0.0.0/8          anywhere
  [B]415 24864 DROP       all  --  any    any     119.0.0.0/8          anywhere[/B]
    0     0 DROP       all  --  any    any     120.0.0.0/8          anywhere
    7   328 DROP       all  --  any    any     nip-121-0-0-0.onqnetworks.net/8  anywhere
    2    88 DROP       all  --  any    any     122.0.0.0/8          anywhere
    2    80 DROP       all  --  any    any     UNKNOWN-123-0-0-X.yahoo.com/8  anywhere
   13   598 DROP       all  --  any    any     124.0.0.0/8          anywhere
    3   506 DROP       all  --  any    any     ppp-net.infoweb.ne.jp/8  anywhere
    0     0 DROP       all  --  any    any     softbank126000000000.bbtec.net/8  anywhere
    0     0 DROP       all  --  any    any     169.208.0.0/12       anywhere
    0     0 DROP       all  --  any    any     175.0.0.0/8          anywhere
    3   162 DROP       all  --  any    any     180.0.0.0/8          anywhere
    2    72 DROP       all  --  any    any     182.0.0.0/8          anywhere
   15   758 DROP       all  --  any    any     183.0.0.0/8          anywhere
   10  1645 DROP       all  --  any    any     202.0.0.0/8          anywhere
    9   458 DROP       all  --  any    any     203.0.0.0/8          anywhere
   11   586 DROP       all  --  any    any     210.0.0.0/8          anywhere
    7   338 DROP       all  --  any    any     211.0.0.0/8          anywhere
  143  8007 DROP       all  --  any    any     218.0.0.0/8          anywhere
    6   288 DROP       all  --  any    any     softbank219000000000.bbtec.net/8  anywhere
   10   608 DROP       all  --  any    any     softbank220000000000.bbtec.net/8  anywhere
   50  2050 DROP       all  --  any    any     221.0.0.0/8          anywhere
   41  2368 DROP       all  --  any    any     222.0.0.0/8          anywhere
    2    76 DROP       all  --  any    any     223.0.0.0/8          anywhere
 

Members online

Forum statistics

Threads
25,782
Messages
167,514
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top