Use iptables to block all non-US ssh traffic

matt_left_coast wrote:
> base60 wrote:
>
>
>>matt_left_coast wrote:
>>
>>>Greg Metcalfe wrote:
>>>
>>>
>>>
>>>>matt_left_coast wrote:
>>>><snip>
>>>>Tons of stuff. About a 9.2 on the open-ended Shrieker Scale. You do
>>>>realize that all-caps means you're shouting, right? You may want to use
>>>>The Great Runes sparingly. Otherwise what you're trying to say gets lost
>>>>in the way you're saying it.
>>>
>>>
>>>Oh, it's the net nanny! If what I said from the very first had been read,
>>>EMPHASES would not have been needed.
>>
>>Sorry, this is too good to pass....
>>
>>Dude, ah, you spelled "EMPHASES" wrong.... it's "emphasis"
>>
>>Even though you don't mean it, you really are a funny guy :)
>
>
> Guess I was wrong in that post I just cancled, you did NOT get something
> right. Emphases is the PLURAL of emphasis.
>
> From "The Collaborative International Dictionary of English":
>
> emphasis \em"pha*sis\ ([e^]m"f[.a]*s[i^]s), n.; pl. Emphases <----------
> ([e^]m"f[.a]*s[=e]z). [L., fr. Gr. 'e`mfasis significance,
> force of expression, fr. 'emfai`nein to show in, indicate;
> 'en in + fai`nein to show. See In, and Phase.]
>
> From the "Merriam-Webster Online" dictionary
>
> Main Entry: em·pha·sis
> Pronunciation: 'em(p)-f&-s&s
> Function: noun
> Inflected Form(s): plural em·pha·ses /-"sEz/ <--------------------
> Etymology: Latin, from Greek, exposition, emphasis, from emphainein to
> indicate, from en- + phainein to show -- more at FANCY
> 1 a : force or intensity of expression that gives impressiveness or
> importance to something b : a particular prominence given in reading or
> speaking to one or more words or syllables
>
>
> Since I did use more than one emphasis, the use of the plural form emphases
> is indeed correct and you, as usual and expected, are wrong, AGAIN.
>
> Bwahahahahahahahahah, as hard as you try, I would think that even YOU would
> realize that you are always WRONG. Bet you think you get "French Benefits"
> at work, right? Emphases intended. bwahahahahah.
>
>
Can't you children take this off line?

--
----------------
Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com

In the Usenet newsgroup comp.os.linux.security, in article
<dgmhui$etl$1@news.tamu.edu>, Chris Barnes wrote:

>(posting after having read what has now become a quite long thread)

Yeah, it kicked up even more flames than I expected.

>Ok, fair enough. So maybe I was asking from the wrong direction.
>Perhaps what I should do it ask in the reverse. Ie.
>We want to block everyone except those ranges where the site is
>*predominately* in the US. I suspect that the list is much shorter.

Right idea - but still not quite there. There are about 69000 assignments
world wide - and of those, 31257 are in the US. You'll still want to narrow
it down to "where my people come from" addresses, rather than "all of the
USA". For example, using a tac-nuke (block 48/5, 56/6, 60/7, 62/8, 80/4,
96/3, 189/8, 190/8, 193/8. 194/7. 200/6, 210/7, 212/7, 217/8. 218/7, 220/6
what's that, 16 rules?) will cut you off from much of the non-US. The other
side of the coin would be to allow 24/8, 63/8, 64/4, 192/8, 196/6, 204/6,
208/7, and 216/8 - 8 rules - but you still have to deal with things like
the mess of 128/2 in either case which is allocated all over the place.

>Keep in mind, that I'm not terrably concerned with accidentially
>blocking someone legitimate. After all, as others have said, the legit
>person would then complain and I could then allow that site.

Yup - depends a bit how load they complain, and how fast you can respond,
but that is about the best that can be done.

>Keep in mind, this is ONLY for ssh (port 22) access. Most of the other
>ports are blocked completely already.

You don't have to block ports that are already closed. Very few people are
running a 'gopher' server, so port 70 isn't likely to be open and therefore
need not be blocked

Old guy

In the Usenet newsgroup comp.os.linux.security, in article
<dgmoql$kl2$1@news.tamu.edu>, Chris Barnes wrote:

>Frankly, I wouldn't care a wit if some of the blocked addresses are used
>in the US. What matters is where *MY USERS* might be coming from. That
>is a finite number and even for "world traveler physics professors", the
>list isn't all that exhaustive.

That's a whole different kettle of fish, and is _relatively_ easier. First,
have every person you expect to connect remotely (I'm assuming predominently
from home), and look at the addresses in the headers. Look _those_ addresses
up at ARIN - lather, rinse, repeat.

>cox-internet.com

24.56.0.0 - 24.56.63.255 24.234.0.0 - 24.234.255.255
24.248.0.0 - 24.255.255.255 64.58.128.0 - 64.58.191.255
66.210.0.0 - 66.210.255.255 68.0.0.0 - 68.15.255.255
68.96.0.0 - 68.111.255.255 68.224.0.0 - 68.231.255.255
70.160.0.0 - 70.191.255.255 216.54.0.0 - 216.54.127.255

WARNING: List is far from complete

>verizon.net

They're not local to me - can't help. They have quite a few blocks.

>(and these only because they are the 2 high speed internent providers in
>our little town)

But if you check, you'll probably find they are not the only one your
users are using. I get the "last mile" from QWorst (local phone franchise),
but my DSL (and addresses) comes from a completely different provider.

>The rest all going to be predominately either US .edu sites, or US gov
>research facilities (fermi lab, etc).

Those are relatively easy - the problem is that it's possibly these won't
be the only addresses used.

Also, neither Cox or Verizon are noted as being squeaky clean. You'll
find your share of skript kiddiez and zombies there too.

>If I end up blocking some local isp in Caper, WY, that's probably a good
>thing.

Not as good as blocking Comcast - they're pounding on me at the moment.

Old guy

"Barton L. Phillips" <barton@applitec.com> wrote in message
news:GQYXe.1014$OC2.617@newssvr21.news.prodigy.com

> Can't you children take this off line?

.... and you repost the whole exchange ... brilliant.

Barton L. Phillips wrote:

> Can't you children take this off line?

Wow, repost the whole thing to add absolutely no substance. The simple
matter is, you don't have to read it.

--

>
> Bwahahahahahahahahah, as hard as you try, I would think that even YOU would
> realize that you are always WRONG. Bet you think you get "French Benefits"
> at work, right? Emphases intended. bwahahahahah.

LOL :-)