Ruminations on an SSH attack

Jeff Kinz jkinz at kinz.org
Mon Dec 19 14:28:01 EST 2005 

On Mon, Dec 19, 2005 at 01:21:12PM -0500, Bruce Dawson wrote:
> Ben Scott wrote:
> 
> >On 12/19/05, Bruce Dawson <jbd at codemeta.com> wrote:
> >  
> >
> >>I wish there was something like RBL that listed bogons so I could
> >>block them. A lot of attacks lately have been coming from them.
> >>    
> >>
> >
> >http://www.cymru.com/Bogons/
> >
> >I'm not sure those are the bogons you are looking for, though.
> >  
> >
> They are.
> 
> And this could cut down on the spam coming from bogons (for those who 
> use sendmail):
> 
>     FEATURE(dnsbl, `bogons.dnsiplists.completewhois.com',
>     `$&{client_addr} blocked by firewall, source IP not assigned (Bogon).'
> 
> (Courtesy of 
> http://moongroup.com/pipermail/mailhelp/2004-October/001449.html)
> 
> But I guess a better place to stop them would be in tcpwrappers or even 
> the firewall, but I haven't figured out a way to wedge something like 
> RBL into tcpwrappers or iptables/ipchains. Any ideas?

For blocking bogons w/iptables I use:
iptables -A INPUT  -i $INTERNET_IF -s 0.0.0.0/7   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 2.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 5.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 7.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 10.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 23.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 27.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 31.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 36.0.0.0/7   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 39.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 42.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 49.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 50.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 77.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 78.0.0.0/7   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 92.0.0.0/6   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 96.0.0.0/4   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 112.0.0.0/5   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 120.0.0.0/6   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 127.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 169.254.0.0/16   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 172.16.0.0/12   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 173.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 174.0.0.0/7   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 176.0.0.0/5   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 184.0.0.0/6   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 192.0.2.0/24   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 192.168.0.0/16   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 197.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 198.18.0.0/15   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 223.0.0.0/8   -j DROP
iptables -A INPUT  -i $INTERNET_IF -s 224.0.0.0/3

This bogon list is from:
http://www.cymru.com/Bogons/
The aggregated list:
http://www.cymru.com/Documents/bogon-bn-agg.txt

To get logging  copy each line and replace "-j DROP" with
-j LOG --log-level debug  --log-prefix "Bogon ip drop"

To implement an RBL at the firewall, I would do a zone transfer
(periodically) from an RBL, dump it and sed it into iptables statements


-- 
Jeff Kinz, Emergent Research, Hudson, MA.
speech recognition software may have been used to create this e-mail

"The greatest dangers to liberty lurk in insidious encroachment by men
of zeal, well-meaning but without understanding." - Brandeis

To think contrary to one's era is heroism. But to speak against it is
madness. -- Eugene Ionesco

More information about the gnhlug-discuss mailing list