Re: Kornet's Last Hack
This is a discussion on Re: Kornet's Last Hack within the Linux Security forums, part of the System Security and Security Related category; On 2004-11-27, Cameron L. Spitzer <spambait@merde.greens.org> wrote: > > And what I said ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-27-2004
|
|||
|
|||
Re: Kornet's Last Hack
On 2004-11-27, Cameron L. Spitzer <spambait@merde.greens.org> wrote:
> > And what I said about .KR and .CN goes for Turkey, Israel, > Taiwan, Nigeria, and Russia as well. If there is a responsibly > run ISP in any of those nations, I have yet to hear of it. > If they connect, they're sending spam or probing for ways to send spam. > Wall them off and forget about them. > Better at the router or iptables than after they've > connected to a socket on my server. > Non-criminals in those nations will learn to use email hosts > off-shore until significant changes occur. > Having the root passwords on the perimeter firewalls/routers (I work for an ISP) I am regularly maintaining the blacklists and peerings, well rather the de-peerings :) We mainly block on remote proxy abuse, our customer base is insecure enough without having the 'bad guys' toying with their machines too. Cheers Alex 
|
|
11-28-2004
|
|||
|
|||
|
Re: Blocking entire countries Was: Kornet's Last Hack
In article <pan.2004.11.27.10.06.37.991826@idontlike.spam>, jafar wrote:
>Is it possible to block entire countries from access to your machine? Absolutely? No. Nearly all? Certainly. >Personally, I would like to block Korea, China and Latvia as the sources >of most the skript kiddie's attacks on my machine. You could snarf the zone files from the RIRs, and identify which block is associated with which country, but that's a daunting task. Currently, the four RIRs identify 189 (out of 249) two letter 'country codes. But blocks are not allocated in 'country' groupings, and MAY be allocated from more than one RIR. [compton ~]$ zgrep -c KR IP.ADDR/stats/[ALR]* IP.ADDR/stats/APNIC.gz:285 IP.ADDR/stats/ARIN.gz:21 IP.ADDR/stats/LANIC.gz:0 IP.ADDR/stats/RIPE.gz:0 [compton ~]$ zgrep -c CN IP.ADDR/stats/[ALR]* IP.ADDR/stats/APNIC.gz:752 IP.ADDR/stats/ARIN.gz:3 IP.ADDR/stats/LANIC.gz:0 IP.ADDR/stats/RIPE.gz:0 [compton ~]$ zgrep -c LV IP.ADDR/stats/[ALR]* IP.ADDR/stats/APNIC.gz:0 IP.ADDR/stats/ARIN.gz:0 IP.ADDR/stats/LANIC.gz:0 IP.ADDR/stats/RIPE.gz:83 [compton ~]$ Above, you see Korea (KR) and China (CN) being allocated bunches of blocks out of APNIC and ARIN. Poor Latvia only has 83 blocks allocated by RIPE, but even they are scattered all over: [compton ~]$ zgrep LV IP.ADDR/stats/RIPE.gz | cut -d'.' -f1 | uniq -c | column 5 LV 62 2 LV 82 19 LV 193 2 LV 212 7 LV 80 5 LV 83 10 LV 194 5 LV 213 2 LV 81 2 LV 84 17 LV 195 7 LV 217 [compton ~]$ You could look at www.blackholes.us but even those lists aren't complete. >Kornet, while being a pain in the butt, is not the only problem. Korea wanted to be a major player in the information age, and installed broadband connections to everywhere. The home users are as clueless as any, meaning their systems are r00ted all the time. When they installed systems in the schools, they also didn't waste any time locking them down, with identical results. Even the ISPs are basically clueless, so many commercial systems are r00ted, or leased out to anyone who will pay. The latter is China's problem too. Old guy
|
|
11-28-2004
|
|||
|
|||
|
Re: Blocking entire countries Was: Kornet's Last Hack
On Sat, 27 Nov 2004 11:06:40 +0100, jafar
<nomorev14gra@idontlike.spam> wrote: >Is it possible to block entire countries from access to your machine? http://ip.ludost.net/
|
|
11-28-2004
|
|||
|
|||
|
Re: Kornet's Last Hack
In article <slrncqhrrh.hrl.allan_wind@pawan.dyndns.org>, Allan Wind wrote:
> > Another target to block is DUL, but it is really annoying being targeted > just because fixed IP bandwith is cost prohibitive. Fixed IP bandwidth costs more because it's worth more. You're not being "targeted"; your criminally negligent Internet provider is being boycotted. The big consumer ISPs have chosen to have a price war instead of competing in areas like customer service and security. Cable modem service is the cheapest edge bandwidth there is, and the corners they cut to operate at that price cost the rest of us. If you don't like the neighborhood you're in, do something about it. Move, complain to Comcast, get a smarthost in a better neighborhood. But don't complain about it to the people your ISP abuses through its negligence. Cameron
|
|
11-28-2004
|
|||
|
|||
|
Re: Blocking entire countries Was: Kornet's Last Hack
I demand that on Sat, 27 Nov 2004 18:15:24 -0800, buck may or may not have
written: > On Sat, 27 Nov 2004 11:06:40 +0100, jafar > <nomorev14gra@idontlike.spam> wrote: > >>Is it possible to block entire countries from access to your machine? > > http://ip.ludost.net/ Thanks. It was trivial to create iptables rules to block 486 ip addresses from my machine with that site :) -- Jafar Calley -----BEGIN GEEK CODE BLOCK----- d+ s-:+ a C++++ L++ E--- W++ N++ w-- PE- t* 5++ R+ !tv D+ G e* h---- x? ------END GEEK CODE BLOCK------ Registered Linux User #359623 http://fatcat.homelinux.org
|
|
11-28-2004
|
|||
|
|||
|
Re: Blocking entire countries Was: Kornet's Last Hack
I demand that on Sat, 27 Nov 2004 18:56:58 -0600, Moe Trin may or may not
have written: > In article <pan.2004.11.27.10.06.37.991826@idontlike.spam>, jafar wrote: > >>Is it possible to block entire countries from access to your machine? > > Absolutely? No. Nearly all? Certainly. > >>Personally, I would like to block Korea, China and Latvia as the sources >>of most the skript kiddie's attacks on my machine. > > You could snarf the zone files from the RIRs, and identify which block is > associated with which country, but that's a daunting task. Indeed, but buck's post has a useful URL to take the pain out of doing it. It may not be 100% complete, but it should take some of my pain away :) >>Kornet, while being a pain in the butt, is not the only problem. > > Korea wanted to be a major player in the information age, and installed > broadband connections to everywhere. The home users are as clueless as > any, meaning their systems are r00ted all the time. When they installed > systems in the schools, they also didn't waste any time locking them > down, with identical results. Even the ISPs are basically clueless, so > many commercial systems are r00ted, or leased out to anyone who will pay. > The latter is China's problem too. Well said and it explains why most of the attacks "seem" to originate from those countries. Not to worry. None of them ever visit my webpage to look at my Mars pics according to my weblogs. They only ever seem to try and crack my security so I don't mind blocking them. ;) -- Jafar Calley -----BEGIN GEEK CODE BLOCK----- d+ s-:+ a C++++ L++ E--- W++ N++ w-- PE- t* 5++ R+ !tv D+ G e* h---- x? ------END GEEK CODE BLOCK------ Registered Linux User #359623 http://fatcat.homelinux.org
|
Linear Mode
