Mates, I am trying to configure hosts.deny to deny all access to APNIC IP's. I am also looking for any additional ideas that you have found that work to deny other notorious scrip kiddie addresses as well. So if you have a good hosts.deny file you wouldn't mind posting or sharing, I would welcome the help. The apnic ranges I have found so far come from: http://www.apnic.net/db/ranges.html The hosts.deny file I have put together from that looks like the following. What is everybody else doing to cut down on the annoying sshd/ftp etc.. attempts? # /etc/hosts.deny # See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow # for a detailed description. # Excluded APNIC Ranges ALL : 210. ALL : 211. ALL : 58. ALL : 60. ALL : 121. ALL : 122. ALL : 126. ALL : 169.208. ALL : 196.192. ALL : 202. ALL : 203. ALL : 210. ALL : 218. ALL : 220. ALL : 222. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 www.rankinlawfirm.com -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 6/13/06 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Wednesday 14 June 2006 19:38, David Rankin wrote:
Mates,
I am trying to configure hosts.deny to deny all access to APNIC IP's. I am also looking for any additional ideas that you have found that work to deny other notorious scrip kiddie addresses as well. So if you have a good hosts.deny file you wouldn't mind posting or sharing, I would welcome the help. The apnic ranges I have found so far come from: http://www.apnic.net/db/ranges.html The hosts.deny file I have put together from that looks like the following. What is everybody else doing to cut down on the annoying sshd/ftp etc.. attempts?
# /etc/hosts.deny # See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow # for a detailed description.
# Excluded APNIC Ranges ALL : 210. ALL : 211. ALL : 58. ALL : 60. ALL : 121. ALL : 122. ALL : 126. ALL : 169.208. ALL : 196.192. ALL : 202. ALL : 203. ALL : 210. ALL : 218. ALL : 220. ALL : 222.
Isn't it true that hosts.deny will only be used when someone has gotten by your firewall? Given that, what is your firewall allowing into your network? -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Bruce Marshall wrote:
Isn't it true that hosts.deny will only be used when someone has gotten by your firewall?
Yes, that is correct. For non-public services I would personally go for deny all, then allow individual services and/or networks. For public services, I wouldn't bother with blocking e.g. IP-ranges, but instead secure those services against attacks. /Per Jessen, Zürich -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
From: "Per Jessen" <per@computer.org>
Bruce Marshall wrote:
Isn't it true that hosts.deny will only be used when someone has gotten by your firewall?
Yes, that is correct.
For non-public services I would personally go for deny all, then allow individual services and/or networks. For public services, I wouldn't bother with blocking e.g. IP-ranges, but instead secure those services against attacks.
Thanks Per, that's what I've done. It's just annoying seeing all the apnic IP attempts at getting in. So far no one had gotten in, but I want to stop them from knocking on the door. Rejecting the most notorious IP's seemed like a logical protection to put in place.... -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 www.rankinlawfirm.com -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 6/14/06 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
From: "Bruce Marshall" <bmarsh@bmarsh.com>
Isn't it true that hosts.deny will only be used when someone has gotten by your firewall?
Given that, what is your firewall allowing into your network?
ssh/ftp/pptp/imaps/http/smtp, and Bruce you are correct, thus the reason for the need for the hosts.deny config -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 www.rankinlawfirm.com -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 6/14/06 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Thursday 15 June 2006 09:41, David Rankin wrote:
From: "Bruce Marshall" <bmarsh@bmarsh.com>
Isn't it true that hosts.deny will only be used when someone has gotten by your firewall?
Given that, what is your firewall allowing into your network?
ssh/ftp/pptp/imaps/http/smtp, and Bruce you are correct, thus the reason for the need for the hosts.deny config
Are these things that just you want access to? (or let's say a small group of people?) I put my ssh on a high port that would take a script kiddy awhile to find. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Wednesday, 14 June 2006 18:38, David Rankin wrote:
Mates,
I am trying to configure hosts.deny to deny all access to APNIC IP's. I am also looking for any additional ideas that you have found that work to deny other notorious scrip kiddie addresses as well. So if you have a good hosts.deny file you wouldn't mind posting or sharing, I would welcome the help. The apnic ranges I have found so far come from: http://www.apnic.net/db/ranges.html The hosts.deny file I have put together from that looks like the following. What is everybody else doing to cut down on the annoying sshd/ftp etc.. attempts?
I trust you plan to never do business with anyone in the Asian and Pacific parts of the globe, including Australia and New Zealand.... -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Hi, I came across this thread while re-organizing my inbox. But, to block access from some certain IP address ranges, I would suggest you use "blocking route" with "route" command. Man page has a good explanation how it works with an example: route add -net 10.0.0.0 netmask 255.0.0.0 reject With this way, you can block access at Layer 3(IP) level without coming through TCP/IP then reaching xinetd. Just my idea. By the way, I haven't tested this command though. Toshi On Wed, 2006-06-14 at 18:38 -0500, David Rankin wrote:
Mates,
I am trying to configure hosts.deny to deny all access to APNIC IP's. I am also looking for any additional ideas that you have found that work to deny other notorious scrip kiddie addresses as well. So if you have a good hosts.deny file you wouldn't mind posting or sharing, I would welcome the help. The apnic ranges I have found so far come from: http://www.apnic.net/db/ranges.html The hosts.deny file I have put together from that looks like the following. What is everybody else doing to cut down on the annoying sshd/ftp etc.. attempts?
# /etc/hosts.deny # See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow # for a detailed description.
# Excluded APNIC Ranges ALL : 210. ALL : 211. ALL : 58. ALL : 60. ALL : 121. ALL : 122. ALL : 126. ALL : 169.208. ALL : 196.192. ALL : 202. ALL : 203. ALL : 210. ALL : 218. ALL : 220. ALL : 222.
-- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 www.rankinlawfirm.com
-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 6/13/06
On Monday 10 July 2006 02:52, Toshi Esumi wrote:
Hi, I came across this thread while re-organizing my inbox. But, to block access from some certain IP address ranges, I would suggest you use "blocking route" with "route" command. Man page has a good explanation how it works with an example:
route add -net 10.0.0.0 netmask 255.0.0.0 reject
With this way, you can block access at Layer 3(IP) level without coming through TCP/IP then reaching xinetd. Just my idea. By the way, I haven't tested this command though.
This would be for outgoing routes, so you would get SYN packets coming through, but the responses would fail Much better, then, to use iptables, since this is what iptables does. For example iptables -I INPUT -s 10.0.0.0/8 -j DROP
Toshi
On Wed, 2006-06-14 at 18:38 -0500, David Rankin wrote:
Mates,
I am trying to configure hosts.deny to deny all access to APNIC IP's. I am also looking for any additional ideas that you have found that work to deny other notorious scrip kiddie addresses as well. So if you have a good hosts.deny file you wouldn't mind posting or sharing, I would welcome the help. The apnic ranges I have found so far come from: http://www.apnic.net/db/ranges.html The hosts.deny file I have put together from that looks like the following. What is everybody else doing to cut down on the annoying sshd/ftp etc.. attempts?
# /etc/hosts.deny # See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow # for a detailed description.
# Excluded APNIC Ranges ALL : 210. ALL : 211. ALL : 58. ALL : 60. ALL : 121. ALL : 122. ALL : 126. ALL : 169.208. ALL : 196.192. ALL : 202. ALL : 203. ALL : 210. ALL : 218. ALL : 220. ALL : 222.
-- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 www.rankinlawfirm.com
-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 6/13/06
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
participants (6)
-
Anders Johansson -
Bruce Marshall -
David Rankin -
Per Jessen -
Sargon -
Toshi Esumi