Ruminations on an SSH attack
Jeff Kinz
jkinz at kinz.org
Mon Dec 19 14:28:01 EST 2005
On Mon, Dec 19, 2005 at 01:21:12PM -0500, Bruce Dawson wrote:
> Ben Scott wrote:
>
> >On 12/19/05, Bruce Dawson <jbd at codemeta.com> wrote:
> >
> >
> >>I wish there was something like RBL that listed bogons so I could
> >>block them. A lot of attacks lately have been coming from them.
> >>
> >>
> >
> >http://www.cymru.com/Bogons/
> >
> >I'm not sure those are the bogons you are looking for, though.
> >
> >
> They are.
>
> And this could cut down on the spam coming from bogons (for those who
> use sendmail):
>
> FEATURE(dnsbl, `bogons.dnsiplists.completewhois.com',
> `$&{client_addr} blocked by firewall, source IP not assigned (Bogon).'
>
> (Courtesy of
> http://moongroup.com/pipermail/mailhelp/2004-October/001449.html)
>
> But I guess a better place to stop them would be in tcpwrappers or even
> the firewall, but I haven't figured out a way to wedge something like
> RBL into tcpwrappers or iptables/ipchains. Any ideas?
For blocking bogons w/iptables I use:
iptables -A INPUT -i $INTERNET_IF -s 0.0.0.0/7 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 2.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 5.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 7.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 23.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 27.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 31.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 36.0.0.0/7 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 39.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 42.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 49.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 50.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 77.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 78.0.0.0/7 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 92.0.0.0/6 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 96.0.0.0/4 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 112.0.0.0/5 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 120.0.0.0/6 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 173.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 174.0.0.0/7 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 176.0.0.0/5 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 184.0.0.0/6 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 192.0.2.0/24 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 197.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 198.18.0.0/15 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 223.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 224.0.0.0/3
This bogon list is from:
http://www.cymru.com/Bogons/
The aggregated list:
http://www.cymru.com/Documents/bogon-bn-agg.txt
To get logging copy each line and replace "-j DROP" with
-j LOG --log-level debug --log-prefix "Bogon ip drop"
To implement an RBL at the firewall, I would do a zone transfer
(periodically) from an RBL, dump it and sed it into iptables statements
--
Jeff Kinz, Emergent Research, Hudson, MA.
speech recognition software may have been used to create this e-mail
"The greatest dangers to liberty lurk in insidious encroachment by men
of zeal, well-meaning but without understanding." - Brandeis
To think contrary to one's era is heroism. But to speak against it is
madness. -- Eugene Ionesco
More information about the gnhlug-discuss
mailing list