Howto block entire networks via iptables

M

modem

Verified User
Joined
Apr 7, 2004
Messages
355
Hello all,

I have had an issue recently with alot of asian and european IP addresses trying to bruteforce attack my server. Normally the IP's change, but are still on the same network leading me to believe it's either a botnet or an internet cafe or something.

Since I'm not an expert with iptables, I am wondering what the exact syntax is to block an entire Class A, Class B, and Class C network.

For example, one IP address that keeps bruteforcing is: 193.93.28.98. So I created a rule to block all TCP incoming connections from: 193.93.28.0/24. Is that correct? Where can I go to learn about how to more exactly block an entire IP block?

Brad
 
The syntax 193.93.28.0/24 is correct and if you use a firewall like kiss for example, it's very easy to block these ranges.

However, if I were you I wouldn't bother!
When I started out managing servers my initial response was the same as yours: block the IP ranges where these attacks are coming from. After a few weeks of adding ranges I saw that many of those were coming from countries like korea, romania, brazil etc. So I googled for sites listing the ip ranges for those countries, found them and blocked them all. But that didn't stop these brute force attacks. Every few days, sometimes even twice a day, I had to add another range to the list. After a few months I realized that I was blocking more than half the world. But much worse than that, this list of blocked IP ranges was starting to have a nagative impact on network performance. Make the list long enough and the time it takes for each IP packed to pass the checklist increases and starts to become a bottleneck.
That's when I realized I was going about this all wrong. The lesson I should have learned is that what's important is not stopping the brute force scans, but making sure those scans would fail. The answer is strong passwords. If you are sure you're using secure passwords then just watch these attempts with a smile and spend your time hunting for cross-site scripting leaks in php script etc. instead, because many more succesful hacks originate there.

(ps. this is not fact, just my opinion ;) )
 
Thanks for that info. I'm using WebMain and the Linux Firewall module that is a frontend for iptables. Do you know where I can look that info up on blocking out entire ip ranges? Like you I don't plan on blocking out half the world, instead just keeping it handy for the worst offenders. :)
 
don't forget to save and script it because if you reboot, or flush iptables...

make a script which run script after 10 minutes if reboot, so if you made an error you will just have the time to correct it.
 
You must log in or register to reply here.
Back
Top