[tip] - ip blocklist ranges (ssh/smtp/http)
- Thread starter sfx2000
- Start date
System Error Message
Part of the Furniture
@sfx2000 , take a look at my example routerOS config. Instead of blocking a whole country what i do is block based on an input attempt. If an input attempt failed regardless of what port(like if im not using port 21 and someone tries to see if it is open) it uses than blacklist it. Never exposed your ssh/smtp port to the net. If you need to use SMTP make sure authentication is required and blacklist IP addresses after 3 attempts. You should also use the DoS protection for all services which is to delay response after a wrong login. Dont blacklist for an hour, blacklist for days or forever. I suggest using VPN if you need to access SSH from outside.
China isnt the only country running bot hacks, theres brazil, africa, russia, US even amazon cloud. An infected device could be running scripts to try and hack you. Just blocking China may not be an effective method. Hackers do use amazon cloud to hack others. Amazon cant stop people from renting their cloud, they cant do background checks to see if you secretely meet other people in a hut out in the forest. My proxy once had a botnet spamming it with ads trying to make it browse other ads and it all came from amazon.
You should use the tarpit and than drop method for TCP and drop for everything else.
If you are protecting content, use dynamic content generation via server side language. If you have a website you dont want people to DDoS or try to hack users use the anti spam image. minimise client side coding.
China isnt the only country running bot hacks, theres brazil, africa, russia, US even amazon cloud. An infected device could be running scripts to try and hack you. Just blocking China may not be an effective method. Hackers do use amazon cloud to hack others. Amazon cant stop people from renting their cloud, they cant do background checks to see if you secretely meet other people in a hut out in the forest. My proxy once had a botnet spamming it with ads trying to make it browse other ads and it all came from amazon.
You should use the tarpit and than drop method for TCP and drop for everything else.
If you are protecting content, use dynamic content generation via server side language. If you have a website you dont want people to DDoS or try to hack users use the anti spam image. minimise client side coding.
Brave souls go with ipset & iptables available on any linux router..
I have 204 ip addresses blocked because they poke my openvpn server (on a popular port). I guess the sample is random enough to be interesting.
Code:
CN US TW NL DE IE JP TR SG GB FR CZ ZA PA CH AT MX HK CO KR IR
77 73 15 8 5 4 3 3 2 2 2 1 1 1 1 1 1 1 1 1 1
Last edited:
sfx2000
Part of the Furniture
I take a layered approach...
two inbound ports only - TCP/22 and ICMP/1 on IPv4 only - that's it...
IPTables - I use the LIMIT directive to rate limit connection attempts, which slows down the Bots even trying
OpenSSH - we limit number of startups, and the login grace period, along with AllowUsers limiting to one user - me, and we turn off PermitRootLogin - oddly enough, I don't use Certs for the home network, but I've got robust pass phrases and we lock down the options to RSA only with long keys. I update PW's about once a week, and that's easy enough to do.
Certs would make it a bit more robust, but since I use many different clients, it's more overhead than benefit for me.
I've got Fail2Ban keeping an eye on things, and after very few bad attempts, that IP goes into a Jail and they will get dropped by IPTables until the Jail timelimit expires.
I don't block whole countries, but I've found about 85 IP blocks that aggressively scan - 80 percent are in China, surprisingly, quite a few are in France (more that Russia and Ukraine to be honest) with the remainder in US, Spain, and Vietnam (plus a couple here/there) - that blocklist keeps activity down to a bare minimum, and anything new that pops up aggressively gets added to the block list, as ranges always change.
It's enough to keep me relatively safe...
OpenSSH tunnels are pretty fun - if I need more, I can initiate connections back to my client if I'm remote - I used to run an L2TP VPN end-point, but found I didn't use it that much, and a lot of log chatter from the Bots beating on it.
Moving to "alternate" ports generally doesn't work, as the Bots are scanning all ports and fingerprinting services, so they'll find things aways, and then beat on it until they're either tired and move on - I put an "open" box out there for a bit as a "honeypot" moving services all over the place - and the bots found the services on them and poked them accordingly - was fun to watch...
two inbound ports only - TCP/22 and ICMP/1 on IPv4 only - that's it...
IPTables - I use the LIMIT directive to rate limit connection attempts, which slows down the Bots even trying
OpenSSH - we limit number of startups, and the login grace period, along with AllowUsers limiting to one user - me, and we turn off PermitRootLogin - oddly enough, I don't use Certs for the home network, but I've got robust pass phrases and we lock down the options to RSA only with long keys. I update PW's about once a week, and that's easy enough to do.
Certs would make it a bit more robust, but since I use many different clients, it's more overhead than benefit for me.
I've got Fail2Ban keeping an eye on things, and after very few bad attempts, that IP goes into a Jail and they will get dropped by IPTables until the Jail timelimit expires.
I don't block whole countries, but I've found about 85 IP blocks that aggressively scan - 80 percent are in China, surprisingly, quite a few are in France (more that Russia and Ukraine to be honest) with the remainder in US, Spain, and Vietnam (plus a couple here/there) - that blocklist keeps activity down to a bare minimum, and anything new that pops up aggressively gets added to the block list, as ranges always change.
It's enough to keep me relatively safe...
OpenSSH tunnels are pretty fun - if I need more, I can initiate connections back to my client if I'm remote - I used to run an L2TP VPN end-point, but found I didn't use it that much, and a lot of log chatter from the Bots beating on it.
Moving to "alternate" ports generally doesn't work, as the Bots are scanning all ports and fingerprinting services, so they'll find things aways, and then beat on it until they're either tired and move on - I put an "open" box out there for a bit as a "honeypot" moving services all over the place - and the bots found the services on them and poked them accordingly - was fun to watch...
sfx2000
Part of the Furniture
The best part of the advice above - don't run services on the untrusted side that are not absolutely needed...
I outsource my email to a trusted partner, and security is their problem, not mine - in my FYI series, we do implement postfix, but even there, port 25 isn't allowed, and we use SASL for an authenticated/secure port out to GMail for reporting alerts from various scripts.
Even with open ports on the firewall, those services do not run on the firewall, they run behind it on a hardened Linux box - something I've had in my network config for over 15 years and it's evolved as technology and threats have.
I've seen the same thing you mentioned - Bots running inside AWS, and increasingly so from MS's Azure cloud... everybody is getting cloud savvy these days - and the bots are getting increasingly savvy, and many are taking the same approaches - can see it in the logs in the patterns...
A slight difference in opinion with regards to SSH and VPN's - SSH, at least with OpenSSH, is robust enough as it is, and less things that can go wrong compared to OpenVPN, SSL VPN implementations, or L2TP/IPSec - and since on my box, it's actually not the one authenticating, this goes back to PAM, and PAM is crypto strong itself - everything is hashed, nothing in the clear... But for some folks, spending the time/effort to get an OpenVPN (or other) has a fair amount of utility, and OpenVPN is secure enough properly done to keep bad guys at bay. But like I mentioned with OpenSSH above, I would never run VPN on the firewall directly, but on a trusted machine behind the firewall.
On my home router (atm RT-AC56U), I have ports open for OpenVPN server (1 port), IPsec VPN (2) and http server (1). ICMP 0/3/11 cstate NEW accepted as well as ICMP 8 with rate limited. This is IPv4.
The http is for a special and limited purpose. It has no authentication but ipset restricted to a tiny ip range. The two VPN are open to the wild. OpenVPN used to be my main connection while not home for multitude of purposes (one use is superb adblock). IPsec VPN was set up later to replace it. It runs IKEv2 (StrongSwan as auth and keying agent + multi-threaded crypto engine in kernel).
I still keep OpenVPN but on TCP because some networks especially WiFi hotspots don't like UDP. Both authentications use 2048 bit certificates. For encryption, I pick 128 bit AES - a good balance between speed and privacy IMO.
I haven't seen floods on the open ports. When it happens, I might considering rate limiting on them. I handcraft all iptables rules. They're arranged in a way that whitelist comes first and good packets go through minimal traversal of the iptables. Everything else is considered bad and dropped with packets logged.
Packet logging are separated into two tiers. The 204 ip addresses (and growing) on open ports are logged in one place. The rest is logged in a second file. I used to peek at the 'rest' file but it's getting boring fast. The first one is cool and lets me analyse recurring 'offenders' and keep alerted.
E.g. one of the 204 ip addresses accounts for ~40% of the offence in the past month. In comparison, the runner up accounts less than 6%! From its pattern, I can guess who he/she/it is and can predict when it'll re-visit me..
I have IPv6 - a HE tunnel. No open ports except some ICMPv6. I use IPv6 for connecting to my small OpenVZ's in two other continents.
So far no incidents yet. Touch wood..
The http is for a special and limited purpose. It has no authentication but ipset restricted to a tiny ip range. The two VPN are open to the wild. OpenVPN used to be my main connection while not home for multitude of purposes (one use is superb adblock). IPsec VPN was set up later to replace it. It runs IKEv2 (StrongSwan as auth and keying agent + multi-threaded crypto engine in kernel).
I still keep OpenVPN but on TCP because some networks especially WiFi hotspots don't like UDP. Both authentications use 2048 bit certificates. For encryption, I pick 128 bit AES - a good balance between speed and privacy IMO.
I haven't seen floods on the open ports. When it happens, I might considering rate limiting on them. I handcraft all iptables rules. They're arranged in a way that whitelist comes first and good packets go through minimal traversal of the iptables. Everything else is considered bad and dropped with packets logged.
Packet logging are separated into two tiers. The 204 ip addresses (and growing) on open ports are logged in one place. The rest is logged in a second file. I used to peek at the 'rest' file but it's getting boring fast. The first one is cool and lets me analyse recurring 'offenders' and keep alerted.
E.g. one of the 204 ip addresses accounts for ~40% of the offence in the past month. In comparison, the runner up accounts less than 6%! From its pattern, I can guess who he/she/it is and can predict when it'll re-visit me..
I have IPv6 - a HE tunnel. No open ports except some ICMPv6. I use IPv6 for connecting to my small OpenVZ's in two other continents.
So far no incidents yet. Touch wood..
sfx2000
Part of the Furniture
Found another site that is tracking IPv4 blocks from China (and Korea) - has them in multiple formats, including direct ipTables and CIDR for platforms that prefer CIDR format, along with .htaccess files for Web Servers and DNS Zone lists
He keeps them pretty current...
http://www.okean.com/thegoods.html
He keeps them pretty current...
http://www.okean.com/thegoods.html
sfx2000
Part of the Furniture
Pretty much same here - I've got an OpenVPN (UDP/1094) endpoint as the emergency spare if nothing else works, OpenSSH (yes, on TCP/22), and L2TP/IPSec (UDP/500, UDP/1701, UDP/4500) - no HTTP or Sendmail, that's all off-site and hosted... and it keeps my ISP off my case, they generally are concerned with certain ports, like http and sendmail, not remote access into the network, there they trust that the person knows what they're doing...
I kept with UDP for the WAN VPN access as most port scanners skip UDP as it's very, very time/resource consuming for them to do so, and I keep logs, and it's basically pretty quiet there... OpenSSH is noisy as it's a TCP end-point, and todays port-scanners are pretty efficient at finding things even of you move them off the traditional IANA ports, so why bother?
All are rate limited, which helps, and fairly tied down as far as access for certain users...
The actual end-points are behind the router, so the router is just port forwarding, and strong/robust security is on the jump box, and I keep it pretty much current with the distro being used (right now it's Ubuntu 16.04LTS).
Cool - something might consider is keeping an eye on entropy - check
/proc/sys/kernel/random/entropy_avail
Should always be higher than 200, and my end-point, since it's headless, would often drop below that - the fix there was to install/config haveged - which helps keep random numbers a bit more random
Good setup - being TCP, do you see a fair amount of door-knocker noise on that port in the logs?
That's the best approach - there's more than a few times we see in the forums -- "How can I block China?", without realizing there's over 4500 discrete ranges that would have to be considered - in a consumer Router/AP, it's a memory and processor consideration with a block list that large...
Drop everything, and then only let certain trusted IP's and Blocks in - more efficient that way...
Cool - something might consider is keeping an eye on entropy - check
/proc/sys/kernel/random/entropy_avail
Should always be higher than 200, and my end-point, since it's headless, would often drop below that - the fix there was to install/config haveged - which helps keep random numbers a bit more random
On my RT-AC56U it's around 100. Basically useless. I can't even make use of /dev/random when setting up IKEv2 IPsec on the router. Tried /dev/urandom which works and is a better version not solely dependent on entropy.
On the OpenVPN & other open ports, not crazy but neither scarce. Everyday new friends visit me. It's also common to see from major cloud providers. Pretty sure AWS tops my list. I've setup an automated check on my router. Whenever I login it prompts me new friends and ask my permission to ignore or block them like below:
themis:~$ phaeo
Welcome to Phaeo.
uptime: 01:00:38 up 77 days, 6:15, load average: 0.01, 0.07, 0.06
{
"ip": "200.111.107.58",
"hostname": "No Hostname",
"city": "Santiago",
"region": "Santiago Metropolitan",
"country": "CL",
"loc": "-33.4500,-70.6667",
"org": "AS6471 ENTEL CHILE S.A."
}
{
"ip": "45.64.74.109",
"hostname": "No Hostname",
"city": "",
"region": "",
"country": "TW",
"loc": "23.5000,121.0000",
"org": "AS133731 Royal Network Technology Co., Ltd. in Guangzhou"
}
Proceed with update? y
Phaeo:~$
Welcome to Phaeo.
uptime: 01:00:38 up 77 days, 6:15, load average: 0.01, 0.07, 0.06
{
"ip": "200.111.107.58",
"hostname": "No Hostname",
"city": "Santiago",
"region": "Santiago Metropolitan",
"country": "CL",
"loc": "-33.4500,-70.6667",
"org": "AS6471 ENTEL CHILE S.A."
}
{
"ip": "45.64.74.109",
"hostname": "No Hostname",
"city": "",
"region": "",
"country": "TW",
"loc": "23.5000,121.0000",
"org": "AS133731 Royal Network Technology Co., Ltd. in Guangzhou"
}
Proceed with update? y
Phaeo:~$
Can't agree more..
I have quite a few applications running on RT-AC56U. Some homebrew apps (a bunch of scripts run as daemon or one-shot recurring tasks). But I decided to move my home network to ER-X. It will take over firewall/NAT/routing/QoS/IPsec/other network functions. Will turn RT-AC56U into a AP and an application server. Runs OpenVPN server, NTP daemon and many other services. Have to devise a plan for seamless transition. I'm very excited looking forward! Feel a bit relieved to hand over the more difficult task to Ubiquiti.
sfx2000
Part of the Furniture
Sounds like a good plan - I've got a small Dell i3050 (it's an Atom J1800 box) running Ubuntu 16.04 that serves as my SSH jump box and VPN end-point, so nothing runs on the router itself outside of normal firewall and NAT... It very power efficient, and fast enough for it's intended purpose... as an example, once the toolchain is built, doing an update build again OpenWRT takes about a minute and a half... and it also runs Docker and KVM for occasional lab work..
A Pi3 could probably do a similar job, but the slow network probably would impact VPN performance (although, I have a Pi3, and VNC'ing into it isn't so bad...)
Latest threads
-
Hyperotpic router replacement - will it solve my problem with connection dropping!
- Started by ACME NoLiFe
- Replies: 2
-
-
-
LAN > DHCP List - Manually Assigned Name + Icon DONT SAVE
- Started by copperhead
- Replies: 4
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!