Use iptables to block all non-US ssh traffic

#1 (**permalink**) 09-16-2005

This should be a simple question, and in fact, it is one that turned up
in a Google search (see, I did my homework). What didn't turn up was an
answer.

Q: is there a simple way to use iptables to block all ssh traffic from
non-US ip addresses? Iow, I already know how to block a given range
of ip's. What I need is a quick and dirty list of non-US Ip's to block.

Fwiw, I saw an answer that blocked most asian ranges. But most of the
hacking attempts I see are coming from east Europe.

--

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Chris Barnes AOL IM: CNBarnes
chris@txbarnes.com Yahoo IM: chrisnbarnes

You always have freedom of choice, but you never have freedom of
consequence.

#2 (**permalink**) 09-16-2005

Chris Barnes wrote:

> This should be a simple question, and in fact, it is one that turned up
> in a Google search (see, I did my homework). What didn't turn up was an
> answer.
>
>
> Q: is there a simple way to use iptables to block all ssh traffic from
> non-US ip addresses? Iow, I already know how to block a given range
> of ip's. What I need is a quick and dirty list of non-US Ip's to block.

Unfortunately, there is no such list. Worse, there can be no such list.
Blocks of IP addresses (Such as the class A addresses) were assigned to
major multy-national companies. There is no "list" of where these companies
deployed these addresses and it is not mandatory for the addresses to be
masqueraded. A company may be based in the US, but blocks of the IP
addresses they have assigned to them are USED in Europe. The company does
not report where they deploy its addresses to anyone. You may get a list of
what companies or individuals have the addresses, but not where the
addresses were used.

#3 (**permalink**) 09-16-2005

matt_left_coast <not@chance.org> wrote in
news:V8idnesUJ4RVl7beRVn-sg@rcn.net:

> Chris Barnes wrote:
>
>> This should be a simple question, and in fact, it is one that turned
>> up in a Google search (see, I did my homework). What didn't turn up
>> was an answer.
>>
>>
>> Q: is there a simple way to use iptables to block all ssh traffic
>> from non-US ip addresses? Iow, I already know how to block a given
>> range of ip's. What I need is a quick and dirty list of non-US Ip's
>> to block.
>
> Unfortunately, there is no such list. Worse, there can be no such
> list. Blocks of IP addresses (Such as the class A addresses) were
> assigned to major multy-national companies. There is no "list" of
> where these companies deployed these addresses and it is not mandatory
> for the addresses to be masqueraded. A company may be based in the US,
> but blocks of the IP addresses they have assigned to them are USED in
> Europe. The company does not report where they deploy its addresses to
> anyone. You may get a list of what companies or individuals have the
> addresses, but not where the addresses were used.
>
>

I have seen certain mail admins post of blocking large chunks of
cyberspace -- specifically China and Asia area.

dg

--
Darko Gavrilovic | "Life can be understood looking
University of Toronto | backwards but must be lived
| looking forwards", Soren Kierkegaard

#4 (**permalink**) 09-17-2005

Chris Barnes wrote:
> This should be a simple question, and in fact, it is one that turned up
> in a Google search (see, I did my homework). What didn't turn up was an
> answer.
>
>
> Q: is there a simple way to use iptables to block all ssh traffic from
> non-US ip addresses? Iow, I already know how to block a given range
> of ip's. What I need is a quick and dirty list of non-US Ip's to block.

Might be easier to use tcpwrappers -- many ssh distributions come
with it enabled. If not, it's pretty easy to build.

>
> Fwiw, I saw an answer that blocked most asian ranges. But most of the
> hacking attempts I see are coming from east Europe.

Yeah, add those, too :)

#5 (**permalink**) 09-17-2005

matt_left_coast wrote:
> Chris Barnes wrote:
>
>
>>This should be a simple question, and in fact, it is one that turned up
>>in a Google search (see, I did my homework). What didn't turn up was an
>>answer.
>>
>>
>>Q: is there a simple way to use iptables to block all ssh traffic from
>>non-US ip addresses? Iow, I already know how to block a given range
>>of ip's. What I need is a quick and dirty list of non-US Ip's to block.
>
>
> Unfortunately, there is no such list.

Ah, actually, ICANN has a web page that lists which A's are assigned
where. Don't recall the URL, but it wasn't hard to find.

> Worse, there can be no such list.

Hmmmmmm, I guess no-one told ICANN....

> Blocks of IP addresses (Such as the class A addresses) were assigned to
> major multy-national companies. There is no "list" of where these companies
> deployed these addresses and it is not mandatory for the addresses to be
> masqueraded.

Correct, but it's a safe bet that the Class As assigned to China etc,
aren't being used much in the US :)

> A company may be based in the US, but blocks of the IP
> addresses they have assigned to them are USED in Europe. The company does
> not report where they deploy its addresses to anyone. You may get a list of
> what companies or individuals have the addresses, but not where the
> addresses were used.

Well, starting with the ones assigned to China, Korea, etc., seems like
a good start.

Also, if you use tcpwrappers, you can toss in a block for all non-US
based domains.

#6 (**permalink**) 09-17-2005

base60 wrote:

> matt_left_coast wrote:
>> Chris Barnes wrote:
>>
>>
>>>This should be a simple question, and in fact, it is one that turned up
>>>in a Google search (see, I did my homework). What didn't turn up was an
>>>answer.
>>>
>>>
>>>Q: is there a simple way to use iptables to block all ssh traffic from
>>>non-US ip addresses? Iow, I already know how to block a given range
>>>of ip's. What I need is a quick and dirty list of non-US Ip's to block.
>>
>>
>> Unfortunately, there is no such list.
>
> Ah, actually, ICANN has a web page that lists which A's are assigned
> where. Don't recall the URL, but it wasn't hard to find.
>
>> Worse, there can be no such list.
>
> Hmmmmmm, I guess no-one told ICANN....
>
>> Blocks of IP addresses (Such as the class A addresses) were assigned to
>> major multy-national companies. There is no "list" of where these
>> companies deployed these addresses and it is not mandatory for the
>> addresses to be masqueraded.
>
> Correct, but it's a safe bet that the Class As assigned to China etc,
> aren't being used much in the US :)
>
>> A company may be based in the US, but blocks of the IP
>> addresses they have assigned to them are USED in Europe. The company does
>> not report where they deploy its addresses to anyone. You may get a list
>> of what companies or individuals have the addresses, but not where the
>> addresses were used.
>
> Well, starting with the ones assigned to China, Korea, etc., seems like
> a good start.
>
> Also, if you use tcpwrappers, you can toss in a block for all non-US
> based domains.

Again, ICANN only list WHO owns the class A's NOT where they are deployed.
Yeah, you can make up a mythical thing about China, cut what about the AT&T
"WORLD" net addresses (class A 11.0.0.0)? Are you sure that AT&T ONLY
deployed in the USA???? I doubt it. The 11.0.0.0 could be anywhere in the
world.

--

#7 (**permalink**) 09-17-2005

Darko Gavrilovic <myfirstnameDOTmysecondnameATutorontoDOTca> wrote:

> matt_left_coast <not@chance.org> wrote in
> news:V8idnesUJ4RVl7beRVn-sg@rcn.net:
>
>> Chris Barnes wrote:
>>
>>> This should be a simple question, and in fact, it is one that turned
>>> up in a Google search (see, I did my homework). What didn't turn up
>>> was an answer.
>>>
>>>
>>> Q: is there a simple way to use iptables to block all ssh traffic
>>> from non-US ip addresses? Iow, I already know how to block a given
>>> range of ip's. What I need is a quick and dirty list of non-US Ip's
>>> to block.
>>
>> Unfortunately, there is no such list. Worse, there can be no such
>> list. Blocks of IP addresses (Such as the class A addresses) were
>> assigned to major multy-national companies. There is no "list" of
>> where these companies deployed these addresses and it is not mandatory
>> for the addresses to be masqueraded. A company may be based in the US,
>> but blocks of the IP addresses they have assigned to them are USED in
>> Europe. The company does not report where they deploy its addresses to
>> anyone. You may get a list of what companies or individuals have the
>> addresses, but not where the addresses were used.
>>
>>
>
> I have seen certain mail admins post of blocking large chunks of
> cyberspace -- specifically China and Asia area.
>
> dg
>
>

But that does NOT MEAN that the addresses are DEPLOYED there. The "OWNER" of
the address block may be based there, but the addressed could be deployed
ANYWHERE in the world. Take the 11.0.0.0 block, it is owned by AT&T WORLD
net and could be deployed in many different countries. There is no way to
say for certain that because an address have been "posted" to someone in
China or Asia that the addresses are necessarily deployed there.

--

#8 (**permalink**) 09-17-2005

Brad Olin wrote:

> On Fri, 16 Sep 2005 11:01:07 -0500, "Chris Barnes" <chris@txbarnes.com>
> wrote:
>
>>This should be a simple question, and in fact, it is one that turned up
>>in a Google search (see, I did my homework). What didn't turn up was an
>>answer.
>>
>>
>>Q: is there a simple way to use iptables to block all ssh traffic from
>>non-US ip addresses? Iow, I already know how to block a given range
>>of ip's. What I need is a quick and dirty list of non-US Ip's to block.
>>
>>Fwiw, I saw an answer that blocked most asian ranges. But most of the
>>hacking attempts I see are coming from east Europe.
>>
>>
>
> There are several databases of IP blocks to country of assignment. I
> found a web tool at http://ip.ludost.net/ which uses such a database to
> generate basic iptables rules based on your country code entries. I
> suppose you could enter USA for country, ALLOW for target, and see what
> you get.
>
> I don't know how accurate that database is, nor do I know how often they
> update it.
>
>
> Brad

Unfortunately, the country of assignment does not mean the country of
deployment. Take the address range 12.0.0.0 to 12.255.255.255. It is a
class A address that is assigned to AT&T IN TH US. The database at
http://ip.ludost.net/ shows only a small portion of that address range's
"location". The locations are Canada, the US and New Zealand (at least that
is the what I think the country codes mean). For the vast majority of the
12.x.x.x network address range, you have no idea WHERE the devices are.

--

#9 (**permalink**) 09-17-2005

matt_left_coast wrote:
> base60 wrote:
>
>
>>matt_left_coast wrote:
>>
>>>Chris Barnes wrote:
>>>
>>>
>>>
>>>>This should be a simple question, and in fact, it is one that turned up
>>>>in a Google search (see, I did my homework). What didn't turn up was an
>>>>answer.
>>>>
>>>>
>>>>Q: is there a simple way to use iptables to block all ssh traffic from
>>>>non-US ip addresses? Iow, I already know how to block a given range
>>>>of ip's. What I need is a quick and dirty list of non-US Ip's to block.
>>>
>>>
>>>Unfortunately, there is no such list.
>>
>>Ah, actually, ICANN has a web page that lists which A's are assigned
>>where. Don't recall the URL, but it wasn't hard to find.
>>
>>
>>>Worse, there can be no such list.
>>
>>Hmmmmmm, I guess no-one told ICANN....
>>
>>
>>>Blocks of IP addresses (Such as the class A addresses) were assigned to
>>>major multy-national companies. There is no "list" of where these
>>>companies deployed these addresses and it is not mandatory for the
>>>addresses to be masqueraded.
>>
>>Correct, but it's a safe bet that the Class As assigned to China etc,
>>aren't being used much in the US :)
>>
>>
>>>A company may be based in the US, but blocks of the IP
>>>addresses they have assigned to them are USED in Europe. The company does
>>>not report where they deploy its addresses to anyone. You may get a list
>>>of what companies or individuals have the addresses, but not where the
>>>addresses were used.
>>
>>Well, starting with the ones assigned to China, Korea, etc., seems like
>>a good start.
>>
>>Also, if you use tcpwrappers, you can toss in a block for all non-US
>>based domains.
>
>
> Again, ICANN only list WHO owns the class A's NOT where they are deployed.

Yeah, I understood your "argument" the first time...

> Yeah, you can make up a mythical thing about China,

Mythical? My my... you certainly showed me :)

> cut what about the AT&T
> "WORLD" net addresses (class A 11.0.0.0)? Are you sure that AT&T ONLY
> deployed in the USA???? I doubt it. The 11.0.0.0 could be anywhere in the
> world.

Ah, well, pardon' moi for being so crass as to point out that IANA
believes 11/8 to belong to the DOD... not ATT.

Feel free to refer to the following (current as of June 2005)
rather than taking my word for it.

http://www.iana.org/assignments/ipv4-address-space

Ignoring, for the moment, the apparent factual errors in your
statement, your logic is also somewhat suspect.

Any Class A assigned to RIPE, APNIC, LACNIC, AfriNIC, etc. in the URL
listed above could quite safely be blocked from ssh access. We do it..
works just fine.

In addition, we block almost every known domain that's not .us .gov
..mil etc. -- including the proposed .xxx that they're dithering around
with.

Occasionally -- as in once or twice a year -- someone legit is blocked,
but that's easy to sort out because legit people tend to complain :)

#10 (**permalink**) 09-17-2005

matt_left_coast wrote:

> Darko Gavrilovic <myfirstnameDOTmysecondnameATutorontoDOTca> wrote:
>
>> matt_left_coast <not@chance.org> wrote in
>> news:V8idnesUJ4RVl7beRVn-sg@rcn.net:
>>
>>> Chris Barnes wrote:
>>>
>>>> This should be a simple question, and in fact, it is one that turned
>>>> up in a Google search (see, I did my homework). What didn't turn up
>>>> was an answer.
>>>>
>>>>
>>>> Q: is there a simple way to use iptables to block all ssh traffic
>>>> from non-US ip addresses? Iow, I already know how to block a given
>>>> range of ip's. What I need is a quick and dirty list of non-US Ip's
>>>> to block.
>>>
>>> Unfortunately, there is no such list. Worse, there can be no such
>>> list. Blocks of IP addresses (Such as the class A addresses) were
>>> assigned to major multy-national companies. There is no "list" of
>>> where these companies deployed these addresses and it is not mandatory
>>> for the addresses to be masqueraded. A company may be based in the US,
>>> but blocks of the IP addresses they have assigned to them are USED in
>>> Europe. The company does not report where they deploy its addresses to
>>> anyone. You may get a list of what companies or individuals have the
>>> addresses, but not where the addresses were used.
>>>
>>>
>>
>> I have seen certain mail admins post of blocking large chunks of
>> cyberspace -- specifically China and Asia area.
>>
>> dg
>>
>>
>
> But that does NOT MEAN that the addresses are DEPLOYED there. The "OWNER"
> of the address block may be based there, but the addressed could be
> deployed ANYWHERE in the world. Take the 11.0.0.0 block, it is owned by
> AT&T WORLD net and could be deployed in many different countries. There is
> no way to say for certain that because an address have been "posted" to
> someone in China or Asia that the addresses are necessarily deployed
> there.
>
> --

That should be the 12.0.0.0 block.
--

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode