1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.

Script Blocks ALL APNIC IPs

Discussion in 'Add-On Install Instructions' started by jmcguirl, Mar 16, 2011.

  1. jmcguirl New Member

    It seems like 99% of my hits for fail2ban come from IPs in ASIA. I have no need or reason for anyone from that entire continent to talk to my PIAF servers. So I did a little research...

    I found APNIC's webpage that lists all the ranges allocated by APNIC.

    Then I created two VERY simple scripts, one to block APNIC IPs and one to undo the first script. I just run them as root on each new PIAF box I build.

    Please tell me what ya think about this. Am I missing something or is it good AS-IS?

    The APNIC BLOCK Script
    Code:
    #!/bin/bash
    /sbin/iptables  -N      BLACKLIST
    /sbin/iptables  -I      INPUT           -j      BLACKLIST
    /sbin/iptables  -A      BLACKLIST       -s      1.0.0.0/8       -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      14.0.0.0/8      -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      27.0.0.0/8      -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      36.0.0.0/8      -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      39.0.0.0/8      -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      42.0.0.0/8      -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      49.0.0.0/8      -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      58.0.0.0/8      -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      59.0.0.0/8      -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      60.0.0.0/8      -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      61.0.0.0/8      -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      101.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      103.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      106.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      110.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      111.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      112.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      113.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      114.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      115.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      116.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      117.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      118.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      119.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      120.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      121.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      122.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      123.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      124.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      125.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      126.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      169.208.0.0/12  -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      175.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      180.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      182.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      183.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      202.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      203.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      210.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      211.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      218.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      219.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      220.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      221.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      222.0.0.0/8     -j      DROP
    /sbin/iptables  -A      BLACKLIST       -s      223.0.0.0/8     -j      DROP
    
    and The APNIC BLOCK "UNDO" Script
    Code:
    #!/bin/bash
    /sbin/iptables  -D      INPUT           -j      BLACKLIST
    /sbin/iptables  -D      BLACKLIST       -s      1.0.0.0/8       -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      14.0.0.0/8      -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      27.0.0.0/8      -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      36.0.0.0/8      -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      39.0.0.0/8      -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      42.0.0.0/8      -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      49.0.0.0/8      -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      58.0.0.0/8      -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      59.0.0.0/8      -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      60.0.0.0/8      -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      61.0.0.0/8      -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      101.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      103.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      106.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      110.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      111.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      112.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      113.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      114.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      115.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      116.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      117.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      118.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      119.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      120.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      121.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      122.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      123.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      124.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      125.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      126.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      169.208.0.0/12  -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      175.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      180.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      182.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      183.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      202.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      203.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      210.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      211.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      218.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      219.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      220.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      221.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      222.0.0.0/8     -j      DROP
    /sbin/iptables  -D      BLACKLIST       -s      223.0.0.0/8     -j      DROP
    /sbin/iptables  -X      BLACKLIST
    
  2. wardmundy Nerd Uno

    Niiiiiiiiiiiiiiiice. Just be aware that without an iptables save, these all disappear when the server or IPtables is restarted.
  3. This is a great concept!

    When I followed the link to APNIC it made me wonder if there was something similar for other areas of the world. It turns out there are, and they are called regional Internet registries. And over all of them is the Internet Assigned Numbers Authority.

    So let's say you are in North America and there is no reason that anyone outside of North America should be connecting to your system. You could go to the IP Address Space Allocated to ARIN page and whitelist all the IP blocks on that page, and deny everything else, but that would also prohibit connections from certain multinational corporations and legacy networks (including, for example, Level 3 Communications, Inc., which you might not want to block if you're seriously into VoIP :wink5:). You'd only discover those by looking in the IANA IPv4 Address Space Registry list.

    Now, if only there were a way to narrow this down to certain ISP's and states I'd be happy, but at the same time I think I've only very rarely seen a hack attempt from within North America (I could probably count the number on one hand).
  4. wardmundy Nerd Uno

    Before the advent of bots and zombies, this might have been a great idea. Now I view it as next to worthless. Whitelists secure your system if you restrict the entries to IP addresses of known providers, servers, and remote extensions. Blacklists offer little to no protection! Think of it as a jail full of felons. Does any jail protect your house from future burglaries? :reddevil:
  5. I understand your point, Ward, but I don't think you fully appreciate that some of us have users whose IP address changes on almost a weekly basis (DSL users - ugh!). Maybe you've had a large problem with bots and zombies, but so far virtually every attack attempt I have seen has come from outside the United States. You're thinking in terms of the absolute worst that can happen and if I were responsible for someone else's system, I suppose I would too. But this is for my own system and since even a bot or zombie would have to crack my very secure passwords (which would take them years unless they get extremely lucky), to me the ability to whitelist a particular state/ISP combination would be hugely advantageous in not inconveniencing my handful of users (all family and friends, and the majority not at all technically oriented).

    Plus, and this is not a small point, the idea of a regional/ISP based whitelist is something even I can understand. I see a lot of firewall techniques and they invariably involve advanced features of iptables, like chains and such, which may seem perfectly clear to networking gurus, but which are not at all clear to me. Usually if I try to implement one of those techniques, I'm either not certain that it's working at all, or it becomes so restrictive that even desirable traffic can't get in.

    Different strokes, as they say...
  6. peivoip Member

    trying to run iptables save, but I'm getting "Bad argument `save'"

    When I do iptables -h there is no save option.

    Is there something else I can do ?
  7. jmullinix Guru

    I am inclined to agree with Ward on this. I am not as fortunate as MichiganTelephone. I have had several sip attacks from within the US. I have been assaulted from virtual machines from all over the US and colleges seem to like this stuff. I had one attack come from Carnegie Melon of all places. Their response to my e-mail was almost immediate, by the way and they resolved the problem within hours.

    I don't think whitelists or blacklists are going to be the solution. To me, network security is an ongoing process of blacklists, software updates, intrusion detection and mitigation and reading logs. It gets easy to scan logs after a while and an anomaly will jump out at you.

    Just my $.02 worth.
  8. randy7376 Guru

    peivoip

    Try...
    Code:
    iptables-save
    or
    Code:
    /etc/init.d/iptables save
    The latter will save iptables settings to /etc/sysconfig/iptables.save
  9. peivoip Member


    iptables-save worked.


    Thanks Randy
  10. blanchae Guru

    The discussion between blacklist vs. whitelist goes like this:

    1. Blacklist: you need a big blacklist that will need constant updating. The blacklist will need to be constantly updated as new hackers are identified. Hackers are in control of the blacklist as its dependant on which IPs they are going to use next. It puts a load on your firewall to have to run through the list and check for "bad" IP addresses. You may inadvertently block good calls. Eventually, your blacklist will include every IP address on the planet. Blacklists are after the fact security. It follows the security practice of block everything that is bad and with the assumption that anything remaining must be good.

    2. Whitelist: you need a small list of known good IP addresses. Firewall just checks small list. Everything else is blocked from connecting. Anonymous Incoming calls without a valid extension goes to the IVR or are dropped. Basically easier to maintain and you are in control of who is on the whitelist. Whitelist is before the fact security. It follows standard firewall security, allow only what you want through and block everything else which is way more secure than the blacklist premise.
  11. mbellot Active Member

    Correct, but white list assumes you can pinpoint all the "good guys" all the time.

    Not easy to do without some additional mucking around if you have users whose IP address changes regularly.
  12. wardmundy Nerd Uno

    Very true. And we've discussed alternatives for those folks. Set them up on something like voip.ms and then make a secure IAX connection between voip.ms and your server. Or get them a sip2sip.net address and go from there.

    Bottom Line: It's your server... and your phone bill. :wink5:
  13. jmcguirl New Member

    John,

    I think you are absolutely right! White-Black listing is not a solution by itself and never will be. I just find it interesting to see the amount of ip traffic hitting my machines.

    PS See ya at the AAUG on the 16th.

    Here is the relevant portion of the output of "iptables -L -v" on one of my machines.

    Code:
    Chain INPUT (policy DROP 78857 packets, 8726K bytes)
     pkts bytes target     prot opt in     out     source               destination
     155M  [B] 93G[/B] BLACKLIST  all  --  any    any     anywhere             anywhere
    
    Chain BLACKLIST (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DROP       all  --  any    any     1.0.0.0/8            anywhere
        0     0 DROP       all  --  any    any     14.0.0.0/8           anywhere
        3   144 DROP       all  --  any    any     27.0.0.0/8           anywhere
        0     0 DROP       all  --  any    any     36.0.0.0/8           anywhere
        0     0 DROP       all  --  any    any     39.0.0.0/8           anywhere
        0     0 DROP       all  --  any    any     42.0.0.0/8           anywhere
        0     0 DROP       all  --  any    any     49.0.0.0/8           anywhere
       17   854 DROP       all  --  any    any     ppp-net.infoweb.ne.jp/8  anywhere
        9   460 DROP       all  --  any    any     59.0.0.0/8           anywhere
       28  1220 DROP       all  --  any    any     60.0.0.0/8           anywhere
       25  1158 DROP       all  --  any    any     61.0.0.0/8           anywhere
        0     0 DROP       all  --  any    any     101.0.0.0/8          anywhere
        0     0 DROP       all  --  any    any     103.0.0.0/8          anywhere
        0     0 DROP       all  --  any    any     106.0.0.0/8          anywhere
        3   120 DROP       all  --  any    any     110.0.0.0/8          anywhere
        5   220 DROP       all  --  any    any     111.0.0.0/8          anywhere
        4   168 DROP       all  --  any    any     112.0.0.0/8          anywhere
        4   184 DROP       all  --  any    any     113.0.0.0/8          anywhere
       10   472 DROP       all  --  any    any     114.0.0.0/8          anywhere
        2   486 DROP       all  --  any    any     115.0.0.0/8          anywhere
        1    40 DROP       all  --  any    any     116.0.0.0/8          anywhere
        0     0 DROP       all  --  any    any     localhost/8          anywhere
       27  1352 DROP       all  --  any    any     118.0.0.0/8          anywhere
      [B]415 24864 DROP       all  --  any    any     119.0.0.0/8          anywhere[/B]
        0     0 DROP       all  --  any    any     120.0.0.0/8          anywhere
        7   328 DROP       all  --  any    any     nip-121-0-0-0.onqnetworks.net/8  anywhere
        2    88 DROP       all  --  any    any     122.0.0.0/8          anywhere
        2    80 DROP       all  --  any    any     UNKNOWN-123-0-0-X.yahoo.com/8  anywhere
       13   598 DROP       all  --  any    any     124.0.0.0/8          anywhere
        3   506 DROP       all  --  any    any     ppp-net.infoweb.ne.jp/8  anywhere
        0     0 DROP       all  --  any    any     softbank126000000000.bbtec.net/8  anywhere
        0     0 DROP       all  --  any    any     169.208.0.0/12       anywhere
        0     0 DROP       all  --  any    any     175.0.0.0/8          anywhere
        3   162 DROP       all  --  any    any     180.0.0.0/8          anywhere
        2    72 DROP       all  --  any    any     182.0.0.0/8          anywhere
       15   758 DROP       all  --  any    any     183.0.0.0/8          anywhere
       10  1645 DROP       all  --  any    any     202.0.0.0/8          anywhere
        9   458 DROP       all  --  any    any     203.0.0.0/8          anywhere
       11   586 DROP       all  --  any    any     210.0.0.0/8          anywhere
        7   338 DROP       all  --  any    any     211.0.0.0/8          anywhere
      143  8007 DROP       all  --  any    any     218.0.0.0/8          anywhere
        6   288 DROP       all  --  any    any     softbank219000000000.bbtec.net/8  anywhere
       10   608 DROP       all  --  any    any     softbank220000000000.bbtec.net/8  anywhere
       50  2050 DROP       all  --  any    any     221.0.0.0/8          anywhere
       41  2368 DROP       all  --  any    any     222.0.0.0/8          anywhere
        2    76 DROP       all  --  any    any     223.0.0.0/8          anywhere
    

Share This Page