Best way to automatically block (add/delete) IP/CIDR ranges?

lightaffaire

Occasional Visitor
On a couple of linux servers here I block large lists of IP/CIDR ranges via iptables using scripts to add and delete them as needed.

At one site I now have a GT-AX11000 running 386.5beta1 and would like to know the following:

1. the best way to bulk block IP ranges on an asuswrt-merlin system via a script?

2. preferably callable via ssh into the router?

3. has anyone calculated the max. number of allowed IP entries a GT-AX11000/RT-AX88U can handle or is actually running asuswrt-merlin with 1000's or 10000's of blocked ranges and if so any gotcha's to be aware of?

Once I have enough info I will look at updating the following script to handle iptables. It automatically generates an .htaccess file to deny spiders/clouds/hosters/actors based on a curated list of AS numbers. Check out the web deny report link to see what it is denying on daily basis:


I appreciate any and all constructive feedback,

Iain
 
Last edited:

kernol

Very Senior Member
Have you had a look at Skynet ??
 

kernol

Very Senior Member

lightaffaire

Occasional Visitor
@kernol thank you for your answer concerning skynet and i will take a look at it.

Concerning your second message...

1. it is always best to run your own security checks i.e.,

$ nmap lightaffaire.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-28 08:30 CET
Nmap scan report for lightaffaire.com (87.138.139.76)
Host is up (0.0011s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
443/tcp open https
995/tcp open pop3s

RDP? X11? nope don't see them in that list.

Obviously someone here is going to jump on the "why is port 80 open?" a simple web redirect/rewrite rule to port 443.

Note: we run offsite logging of all machines/infrastructure including all ip denys here so I would ask "you" to first think long and hard.


2. Malware? if someone harvests your Email address and uses it in a bulk mail spamming of whatever then you end up on lists... thats the internet we live in today. Do more research on your own and you will see which addresses are being misused and were blocked here long ago.


3. Why do i send links? because I have something to offer that others may or may not find useful... give and take... but that seems to be a dying art.
 
Last edited:

thiggins

Mr. Easy
Staff member
I am intrigued by your propensity to offer links in your posts - ostensibly to offer newly proposed solutions of your own.
And what is wrong with that? Every "solution" here was new at some point.
 

kernol

Very Senior Member
And what is wrong with that? Every "solution" here was new at some point.

Tim - you be the Captain ... but I believe I used the word "intrigued" and did not say or imply that it was "wrong"!

I am now intrigued by your quick defence of a newcomer whose offerings so far have added very little value - while expressing your displeasure at long-standing members with thousands of helpful posts that have supported the expansion of your forum.

@lightaffaire Welcome to SNBForums.

This is, indeed, a tough crowd, tougher than I prefer to see.
Some of the "furniture" hold strong opinions and are not shy about stating them, over and over in many cases.

BTW - @lightaffaire has yet to take down the unauthorised mirror site despite the Maestro's request!
 

dave14305

Part of the Furniture
I am now intrigued by your quick defence of a newcomer whose offerings so far have added very little value - while expressing your displeasure at long-standing members with thousands of helpful posts that have supported the expansion of your forum.
Good thing I wasn’t judged based on my first 10 posts on this forum. This crowd can be snobby when it chooses to be. So let’s not.
BTW - @lightaffaire has yet to take down the unauthorised mirror site despite the Maestro's request!
Was that an explicit request to take it down? You’re really out to get him, it seems. Be sure to check out the occasional skin photos on his main site. Maybe you’ll change your mind.
 

OzarkEdge

Part of the Furniture
Be sure to check out the occasional skin photos on his main site. Maybe you’ll change your mind.

I can't get there from here... I've been blocked by clever means. Asuswrt-Merlin's new mirror team is selective. So, not likely to change my mind.

OE
 

lightaffaire

Occasional Visitor
@kernol your full sentence was: "I am intrigued by your propensity to offer links in your posts - ostensibly to offer newly proposed solutions of your own."

That is more than "intrigued" once the full context is shown as above. You then felt the need to supply 3 url's with respect to the IP of my site which i explicity answered in detail above. You should reply to the answers I provided you... which are correct and valid. Do not ignore valid answers. No wiggle room allowed. Simply admit you did not do due diligence on the answers google provided.

With respect to your comment "a newcomer whose offerings so far have added very little value": some people find them useful, some don't. They are provided as-is. Whether you like or dislike any tools/ideas/tips I provide is upto you. Just be so kind as to double check any info before acusing me of anything in future... it makes one of us look anything but professional.

@OzarkEdge blocked? if you received a 403 web deny from my site then your IP is inside one of the ~500 ASN's we block due to security. If you want to send me your ISP/IP info per private message here I can run a check and tell you why you received a 403... if not that is also ok.
 
Last edited:

thiggins

Mr. Easy
Staff member
I am now intrigued by your quick defence of a newcomer whose offerings so far have added very little value - while expressing your displeasure at long-standing members with thousands of helpful posts that have supported the expansion of your forum.
Helpful is relative. A lot depends on the reader's experience level. As long as the site terms are followed, users are free to post.
 

OzarkEdge

Part of the Furniture
@OzarkEdge blocked? if you received a 403 web deny from my site then your IP is inside one of the ~500 ASN's we block due to security. If you want to send me your ISP/IP info per private message here I can run a check and tell you why you received a 403... if not that is also ok.

Thanks for the offer... I'll pass since I don't use Asuswrt-Merlin.

For reference, here are the blocks I encountered when attempting your links... my ISP is a mainstream US cable Internet service provider:

4031.jpg

4032.jpg


OE
 

lightaffaire

Occasional Visitor
@OzarkEdge you don't use asus-merlin but are in the asus-merlin group? ermm.

I checked our logs here. Your IP looks to be inside the ASN: AS20115 Charter Communications

2022-03-01 01:02:26 47.233.25.160 AS20115 Charter Comm... GET /<redacted> HTTP/2.0 403

47.233.25.160 US, Missouri, 65265 Mexico
047-233-025-160.res.spectrum.com
asn+org: AS20115 Charter Communications
inetnum: 47.224.0.0/13
netname: CC04

But the CIDR block 47.224.0.0/11 is allocated to or is behind "AS45102 Alibaba Cloud" a chinese cloud provider that we do block.

I will look into adding an exception rule for the /13 network block. Check back tommorow.
 

OzarkEdge

Part of the Furniture
@OzarkEdge you don't use asus-merlin but are in the asus-merlin group? ermm.

I try to help wherever I can. Funny you pointing out boundaries. :)

But the CIDR block 47.224.0.0/11 is allocated to or is behind "AS45102 Alibaba Cloud" a chinese cloud provider that we do block.

I have no idea about a Chinese provider at the edge of the Ozarks. I use the term 'edge' loosely, but your filter scheme may be too aggressive.

OE
 

RMerlin

Asuswrt-Merlin dev
BTW - @lightaffaire has yet to take down the unauthorised mirror site despite the Maestro's request!
I did not request a takedown, only that I do not want to endorse it as an official mirror. I do not forbid redistribution of my files, and I don't mind as long people aren`t being nefarious, i.e. they aren't modifying them, or claiming ownership of their content. Softpedia for instance has been redistributing Asuswrt-Merlin for years (and I briefly listed them as a mirror back when I was still using Mediafire).
 

RMerlin

Asuswrt-Merlin dev
. the best way to bulk block IP ranges on an asuswrt-merlin system via a script?
Create an iptable rules that drops all content of an ipset, then dynamically update that ipset with your blocked IPs.

You'll have to check the ipset documentation, I don't remember the maximum number of supported entries.
 

sfx2000

Part of the Furniture
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
443/tcp open https
995/tcp open pop3s

there's no real need to keep popper and sendmail open, esp when their not secure (even though tcp_wrapper is in play).

some folks might also mention 22/tcp, but as long are you're running certs there and disabling passwords, you should be fine, just a lot of folks rattling the doorknob...
 

lightaffaire

Occasional Visitor
there's no real need to keep popper and sendmail open, esp when their not secure (even though tcp_wrapper is in play).

some folks might also mention 22/tcp, but as long are you're running certs there and disabling passwords, you should be fine, just a lot of folks rattling the doorknob...

Well to be honest I really would like to keep receiving my email ;-)
 

sfx2000

Part of the Furniture
Well to be honest I really would like to keep receiving my email ;-)

Yeah, but popper is very not secure, using user/pass (I am one of the former devs for Qualcomm's qpopper), so turn that port off if you can...

Same with Sendmail - use 465 or 587 for SSL/TLS peer auth. There you can consider SPF/DKIM, as all senders should be doing this to reduce the amount of spam in the world.
 

lightaffaire

Occasional Visitor
@
Yeah, but popper is very not secure, using user/pass (I am one of the former devs for Qualcomm's qpopper), so turn that port off if you can...

Same with Sendmail - use 465 or 587 for SSL/TLS peer auth. There you can consider SPF/DKIM, as all senders should be doing this to reduce the amount of spam in the world.

dovecot with STARTTLS certs are ok for my present needs.

Not everyone I correspond with has setup SMTPS so port 25 is still required.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top