Ban on continents
One fine morning I looked through the logs and asked myself a number of questions:
- Am I waiting for letters from Southeast Asia? (when I looked mail logs)
- And with what frightened ssh brute forcing from the States?
- Do I have to endure network scanners from Australia?
- Who is calling me from Africa? (when looking at asterisk logs)
- Why would my POP server get access from Latin America?
')
Why not ban on continents? Leaving only the desired continent (s)?
This is a small script that bans half the world:
#!/bin/sh # AFRINIC - # APNIC - , # ARIN - # LACNIC - # RIPE NCC - # , | BAN_CONT='AFRINIC|APNIC|LACNIC' # Ipv4 iana.org list=`curl -s http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv \ | egrep $BAN_CONT \ | cut -d "," -f 1 \ | sed 's!/8!.0.0.0/8!g' ` # for ip in $list; do iptables -I INPUT -s $ip -j DROP # . . done Result. List of banned networks
0 0 DROP all - * * 223.0.0.0/8 0.0.0.0/0
2 80 DROP all - * * 222.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 221.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 220.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 219.0.0.0/8 0.0.0.0/0
1 40 DROP all - * * 218.0.0.0/8 0.0.0.0/0
2 120 DROP all - * * 211.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 210.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 203.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 202.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 201.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 200.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 197.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 196.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 191.0.0.0/8 0.0.0.0/0
2,150 DROP all - * * 190.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 189.0.0.0/8 0.0.0.0/0
3,144 DROP all - * * 187.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 186.0.0.0/8 0.0.0.0/0
1 68 DROP all - * * 183.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 182.0.0.0/8 0.0.0.0/0
3,180 DROP all - * * 181.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 180.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 179.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 177.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 175.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 171.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 163.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 154.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 153.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 150.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 133.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 126.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 125.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 124.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 123.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 122.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 121.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 120.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 119.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 118.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 117.0.0.0/8 0.0.0.0/0
1 40 DROP all - * * 116.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 115.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 114.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 113.0.0.0/8 0.0.0.0/0
3 180 DROP all - * * 112.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 111.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 110.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 106.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 105.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 103.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 102.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 101.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 49.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 48.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 35.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 34.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 33.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 30.0.0.0/8 0.0.0.0/0
36 2160 DROP all - * * 23.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 12.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 1.0.0.0/8 0.0.0.0/0
2 80 DROP all - * * 222.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 221.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 220.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 219.0.0.0/8 0.0.0.0/0
1 40 DROP all - * * 218.0.0.0/8 0.0.0.0/0
2 120 DROP all - * * 211.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 210.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 203.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 202.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 201.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 200.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 197.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 196.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 191.0.0.0/8 0.0.0.0/0
2,150 DROP all - * * 190.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 189.0.0.0/8 0.0.0.0/0
3,144 DROP all - * * 187.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 186.0.0.0/8 0.0.0.0/0
1 68 DROP all - * * 183.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 182.0.0.0/8 0.0.0.0/0
3,180 DROP all - * * 181.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 180.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 179.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 177.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 175.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 171.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 163.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 154.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 153.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 150.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 133.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 126.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 125.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 124.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 123.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 122.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 121.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 120.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 119.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 118.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 117.0.0.0/8 0.0.0.0/0
1 40 DROP all - * * 116.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 115.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 114.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 113.0.0.0/8 0.0.0.0/0
3 180 DROP all - * * 112.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 111.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 110.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 106.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 105.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 103.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 102.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 101.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 49.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 48.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 35.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 34.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 33.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 30.0.0.0/8 0.0.0.0/0
36 2160 DROP all - * * 23.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 12.0.0.0/8 0.0.0.0/0
0 0 DROP all - * * 1.0.0.0/8 0.0.0.0/0
After that, peace and tranquility came in the logs.
And for the rest, there is fail2ban.
Such bans across continents bring additional security, reduce traffic, reduce the size of logs.
and when used correctly, facilitate the situation when ddos attack.
PS
Ban across continents - a double-edged blade.
For example, they banned ARIN (North America) and if gmail takes your mail from the POP server, then after the ban it will not be able to take it, etc.
Be careful!
PS2
Why am I not using geoip?
- I got into embarrassing situations, when the IP address was added to Russia, and in the geoip database it was not updated yet
- It should be installed everywhere, and if there are a lot of servers, then you can stop working
Update 02.28.2014
Servers on which I use such bans are exclusively private.
My servers are used by a certain and very limited circle of people.
In the comments I was made Roskomnadzor 2, lol.
And in my post I did not give a reason to believe that I call on public services or websites to block from the rest of the world, except in critical situations, when 7 troubles are one answer.
Source: https://habr.com/ru/post/214055/
All Articles