1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ip addresses that piss me off....

Discussion in 'Off Topic' started by EQnoble, Feb 8, 2011.

  1. EQnoble

    EQnoble Well-Known Member

    If you own one of these ip addresses please address the possibility that you are complicit in helping people to try and ruin my server and or augment my data and possibly making people generally disgusted at your lack of caring.

    I will be posting this thread everywhere I login to from now on...If you don't like it..tough cookies. You should be more concerned with people using your server to attack others, in this case mine. You have been unsuccessful and I have all the backups I need. Now here the list starts of ip addresses coming from irresponsible and/or criminal type of server administrators allowing this kind of activity


     
  2. TerminalAddict

    TerminalAddict Active Member

    wc -l /etc/ip_list
    369 /etc/ip_list

    I have 369 banned IPs in my banned firewall table
    Code:
    #!/bin/bash
    
    ## First we flush the banned_ip table
    iptables -F banned_ip
    
    ## All banned IPs are in the file ip_list
    #  all you need to do is add to the file
    #  then execute this file
    #
    #  /etc/banned_ips
    
    ## Loop through each IP in the array
    #  First we log packets
    #  Then we DROP them
    
    while read ip
    do
            iptables -A banned_ip -s $ip -j LOG --log-prefix "IPT - BANNED ip addresses: "
            iptables -A banned_ip -s $ip -j DROP
    done < /etc/ip_list
    
     
    EQnoble likes this.
  3. EQnoble

    EQnoble Well-Known Member

    So your script there will automatically drop any IP from the iptables that is in that banned_ip file, and all I have to do is manually add them to the file and execute that script you posted?
     
  4. Deebs

    Deebs Well-Known Member

    Eww, use ipsets please! Much lighter on load and so much easier to manage :) Having a single file of banned ips is so inefficient. Seriously look up ipset :)
     
  5. EQnoble

    EQnoble Well-Known Member

    Well I just need something that works and can be implemented quick...no one really gets through but people have a hardon for my server and won't leave it alone :)

    What if server load isn't an issue... (mine sits at 0.00 - 0.02 average) and i just want to be able to quickly ban ips as ssh and cli aren't exactly "fast" goings for me.
     
  6. Deebs

    Deebs Well-Known Member

    Seriously, look at ipset, it is by the same guys that designed netfilter (iptables on linux). It is just infinity more superior than maintaining a list of ips in a file.....
     
    EQnoble likes this.
  7. Trent Gillespie

    Trent Gillespie Active Member

    EQnoble, you need to for a different protection program. Manually adding IPs to a table is highly inefficient. Most anyone who has the knowledge to disrupt your server also has the knowledge of how to hop from proxy to proxy, making your blocking method ineffective.
     
    tickedon, D.O.A. and EQnoble like this.
  8. EQnoble

    EQnoble Well-Known Member

    Lol I am honored that you think I understand how to use that :) , I just starting getting the hang of using iptables.

    Do you know of a solid all inclusive guide to using ipset? Examples are great and all ...but I need a guide to our through before I will mess with something that involves security...I have way too many peoples sites on my servers and I would like to honor my word when I said to them don't worry about it I will take care of it.
     
  9. TerminalAddict

    TerminalAddict Active Member

    ipsets does looks quite nice, although my script does exactly what you expect it.
    I keep a list.... example:
    Code:
    41.235.70.2
    82.108.152.231
    208.78.62.7
    216.246.15.228
    77.221.130.21
    83.137.145.147
    83.243.43.86
    99.243.92.99
    131.203.1.5
    131.203.248.1
    165.228.100.188
    
    and I execute the script .. then all those IPs are dropped .. no access

    I will do some reading on ipset today, as it does look interesting ( http://ipset.netfilter.org/ )

    oh also note .. the table banned_ips is the first in my list
    Code:
    # Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
    *raw
    :PREROUTING ACCEPT [448717:520779170]
    :OUTPUT ACCEPT [284231:46720766]
    COMMIT
    # Completed on Mon Jul 10 00:40:26 2006
    # Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
    *nat
    :PREROUTING ACCEPT [1:54]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT
    # Completed on Mon Jul 10 00:40:26 2006
    # Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
    *mangle
    :PREROUTING ACCEPT [232:20562]
    :INPUT ACCEPT [264:22944]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [173:34372]
    :POSTROUTING ACCEPT [190:35688]
    COMMIT
    # Completed on Mon Jul 10 00:40:26 2006
    # Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
    *filter
    :INPUT DROP [2:104]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [1:708]
    :bad_packets - [0:0]
    :banned_ip - [0:0]
    :bad_tcp_packets - [0:0]
    :icmp_packets - [0:0]
    :tcp_inbound - [0:0]
    :tcp_outbound - [0:0]
    :udp_inbound - [0:0]
    :udp_outbound - [0:0]
    
    -A INPUT -i lo -j ACCEPT
    # default ACCEPT for db3.osuosl.org (the database cluster)
    -A INPUT -s 140.211.166.135 -j ACCEPT
    -A INPUT -j banned_ip
    -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth0 -p tcp -j tcp_inbound
    -A INPUT -i eth0 -p udp -j udp_inbound
    .......... continues from here
    
    hope this helps

    edit: wow my fw is 4.5 years old :) I was expecting it to be older .. that must be when I moved hosts the last time :)
     
    EQnoble likes this.
  10. EQnoble

    EQnoble Well-Known Member

    This is as simple as it can get right there....


    Yeah it does look great but if it is more powerful than iptables that also means if I dive into it the damage it can cause is more severe just by transitive properties. I am NOT against it. But I need to learn to use the tools modules and scripts I already have on my server before I add more.
     
  11. Deebs

    Deebs Well-Known Member

    Install shorewall and then the ipset stuff and it is as simple as creating a set called blacklist and adding +blacklist to your blacklist file. Personally I use shorewall as it simplifies stuff. No need to complicate stuff if you do not have to!
     
  12. Deebs

    Deebs Well-Known Member

    No no, it uses netfilter (aka iptables).
     
  13. Deebs

    Deebs Well-Known Member

    Your script works well but it cannot scale without using something like ipset. That is the point. It is inefficient. I cannot say what the breakpoint is as it depends on your CPU etc but you should seriously look at converting it to ipset.
     
  14. TerminalAddict

    TerminalAddict Active Member

    initial reading suggests I will still need to maintain a list of IPs, however ipsets seems to eliminate much of the load.

    but as has already been mentioned, server load is only an issue once or twice.
    I see things like this:
    • bad guys hammers my server (normally port 22 attacking .. boring)
    • bad guy gets put in my banned_ips
    • iptables usage goes up a bit
    • log files get a bit busy (because I log things)
    • bad guy gives up, bad guy CBF anymore
    • server goes quiet again :)
    This is on a site that I've run for 10 years that gets truck loads of traffic ( http://mandrivausers.org )
     
  15. TerminalAddict

    TerminalAddict Active Member

    yerp ;) . .reading manuals now :)
     
  16. TerminalAddict

    TerminalAddict Active Member

    update (this is untested .. just posting here for the interest of it all :) )
    Code:
    #!/bin/bash
    
    # first remove the old set, then re-create a clean one
    ipset -X bad_guys
    ipset -N bad_guys nethash
    
    ## All banned IPs are in the file ip_list
    #  all you need to do is add to the file
    #  then execute this file
    #
    #  /etc/banned_ips
    
    ## Loop through each IP in the array
    #  then add the to the bad_guys set
    
    while read ip
    do
            ipset -A bad_guys $ip
    done < /etc/ip_list
    
    

    then in my fw script
    Code:
     Completed on Mon Jul 10 00:40:26 2006
    # Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
    *filter
    :INPUT DROP [2:104]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [1:708]
    :bad_packets - [0:0]
    :banned_ip - [0:0]
    
    
    ...... fast forward to the banned_ip table ...............
    
    # You can now add IP addresses to the Array IPS in the file /etc/banned_ips
    #
    # Then execute the file
    # log first, then DROP
    -A banned_ip -m set --match-set bad_guys -j LOG --log-prefix "IPT - BANNED ip addresses: "
    -A banned_ip -m set --match-set bad_guys -j DROP
    
    this might do it .. I'll do some testing to see how it goes :)
     
    EQnoble likes this.
  17. EQnoble

    EQnoble Well-Known Member

    Please if you can post some results, I am interested and would like to make myself a tutorial out of anything I learn in this thread.

    That's awesome that I made the thread to vent anger but ended up getting legit help anyways LOL
    effing Xenforo...I never stop learning here :)
     
  18. Deebs

    Deebs Well-Known Member

    I use Shorewall as it makes my life easier. I just create a "blacklist" ipset and then add to /etc/shorewall/blacklist +blacklist. Quick easy and simple. Then whenever I add an IP to the blacklist set I just reissue the command shorewall refresh.
     
    EQnoble likes this.
  19. EQnoble

    EQnoble Well-Known Member

    See you guys are command-line-commandos, I am the water boy...lol

    Looking up shorewall as we speak.
     
    Dan likes this.
  20. Deebs

    Deebs Well-Known Member

    Lol, that did actually make me chuckle. Seriously, most *NIX guys will prefer the command line to a GUI.
     
    EQnoble likes this.

Share This Page