Ip addresses that piss me off....

EQnoble

Well-known member
If you own one of these ip addresses please address the possibility that you are complicit in helping people to try and ruin my server and or augment my data and possibly making people generally disgusted at your lack of caring.

I will be posting this thread everywhere I login to from now on...If you don't like it..tough cookies. You should be more concerned with people using your server to attack others, in this case mine. You have been unsuccessful and I have all the backups I need. Now here the list starts of ip addresses coming from irresponsible and/or criminal type of server administrators allowing this kind of activity


my appach status said:
62.141.36.63 ******* GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1
173.201.44.16 (someone doesn't care about their mail server I suppose.)
109.230.220.219 GET http://209.191.81.94/config/login? HTTP/1.0
109.230.220.219 GET http://66.163.169.186/config/login? HTTP/1.0
173.201.44.16 -- again for 70 pages


please hold while I generate my list of ip's for which the owners have no regard of professional courtesy. I have lists that need to be merged into one and private info stripped. If anyone has any ips trying to run exploits or whatever on them please post the ip in this thread and I will add it to the list of ips I am banning/taking action against.
 
wc -l /etc/ip_list
369 /etc/ip_list

I have 369 banned IPs in my banned firewall table
Code:
#!/bin/bash

## First we flush the banned_ip table
iptables -F banned_ip

## All banned IPs are in the file ip_list
#  all you need to do is add to the file
#  then execute this file
#
#  /etc/banned_ips

## Loop through each IP in the array
#  First we log packets
#  Then we DROP them

while read ip
do
        iptables -A banned_ip -s $ip -j LOG --log-prefix "IPT - BANNED ip addresses: "
        iptables -A banned_ip -s $ip -j DROP
done < /etc/ip_list
 
So your script there will automatically drop any IP from the iptables that is in that banned_ip file, and all I have to do is manually add them to the file and execute that script you posted?
 
wc -l /etc/ip_list
369 /etc/ip_list

I have 369 banned IPs in my banned firewall table
Code:
#!/bin/bash

## First we flush the banned_ip table
iptables -F banned_ip

## All banned IPs are in the file ip_list
#  all you need to do is add to the file
#  then execute this file
#
#  /etc/banned_ips

## Loop through each IP in the array
#  First we log packets
#  Then we DROP them

while read ip
do
        iptables -A banned_ip -s $ip -j LOG --log-prefix "IPT - BANNED ip addresses: "
        iptables -A banned_ip -s $ip -j DROP
done < /etc/ip_list

Eww, use ipsets please! Much lighter on load and so much easier to manage :) Having a single file of banned ips is so inefficient. Seriously look up ipset :)
 
Well I just need something that works and can be implemented quick...no one really gets through but people have a hardon for my server and won't leave it alone :)

What if server load isn't an issue... (mine sits at 0.00 - 0.02 average) and i just want to be able to quickly ban ips as ssh and cli aren't exactly "fast" goings for me.
 
Seriously, look at ipset, it is by the same guys that designed netfilter (iptables on linux). It is just infinity more superior than maintaining a list of ips in a file.....
 
EQnoble, you need to for a different protection program. Manually adding IPs to a table is highly inefficient. Most anyone who has the knowledge to disrupt your server also has the knowledge of how to hop from proxy to proxy, making your blocking method ineffective.
 
Seriously, look at ipset, it is by the same guys that designed netfilter (iptables on linux). It is just infinity more superior than maintaining a list of ips in a file.....
Lol I am honored that you think I understand how to use that :-) , I just starting getting the hang of using iptables.

Do you know of a solid all inclusive guide to using ipset? Examples are great and all ...but I need a guide to our through before I will mess with something that involves security...I have way too many peoples sites on my servers and I would like to honor my word when I said to them don't worry about it I will take care of it.
 
ipsets does looks quite nice, although my script does exactly what you expect it.
I keep a list.... example:
Code:
41.235.70.2
82.108.152.231
208.78.62.7
216.246.15.228
77.221.130.21
83.137.145.147
83.243.43.86
99.243.92.99
131.203.1.5
131.203.248.1
165.228.100.188

and I execute the script .. then all those IPs are dropped .. no access

I will do some reading on ipset today, as it does look interesting ( http://ipset.netfilter.org/ )

oh also note .. the table banned_ips is the first in my list
Code:
# Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
*raw
:PREROUTING ACCEPT [448717:520779170]
:OUTPUT ACCEPT [284231:46720766]
COMMIT
# Completed on Mon Jul 10 00:40:26 2006
# Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
*nat
:PREROUTING ACCEPT [1:54]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Jul 10 00:40:26 2006
# Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
*mangle
:PREROUTING ACCEPT [232:20562]
:INPUT ACCEPT [264:22944]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [173:34372]
:POSTROUTING ACCEPT [190:35688]
COMMIT
# Completed on Mon Jul 10 00:40:26 2006
# Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
*filter
:INPUT DROP [2:104]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:708]
:bad_packets - [0:0]
:banned_ip - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]

-A INPUT -i lo -j ACCEPT
# default ACCEPT for db3.osuosl.org (the database cluster)
-A INPUT -s 140.211.166.135 -j ACCEPT
-A INPUT -j banned_ip
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
.......... continues from here

hope this helps

edit: wow my fw is 4.5 years old :) I was expecting it to be older .. that must be when I moved hosts the last time :)
 
ipsets does looks quite nice, although my script does exactly what you expect it.
I keep a list.... example:
Code:
41.235.70.2
82.108.152.231
208.78.62.7
216.246.15.228
77.221.130.21
83.137.145.147
83.243.43.86
99.243.92.99
131.203.1.5
131.203.248.1
165.228.100.188

and I execute the script .. then all those IPs a dropped .. no access

I will do some reading on ipset today, as it does look interesting ( http://ipset.netfilter.org/ )

This is as simple as it can get right there....


Yeah it does look great but if it is more powerful than iptables that also means if I dive into it the damage it can cause is more severe just by transitive properties. I am NOT against it. But I need to learn to use the tools modules and scripts I already have on my server before I add more.
 
Lol I am honored that you think I understand how to use that :) , I just starting getting the hang of using iptables.

Do you know of a solid all inclusive guide to using ipset? Examples are great and all ...but I need a guide to our through before I will mess with something that involves security...I have way too many peoples sites on my servers and I would like to honor my word when I said to them don't worry about it I will take care of it.

Install shorewall and then the ipset stuff and it is as simple as creating a set called blacklist and adding +blacklist to your blacklist file. Personally I use shorewall as it simplifies stuff. No need to complicate stuff if you do not have to!
 
This is as simple as it can get right there....


Yeah it does look great but if it is more powerful than iptables that also means if I dive into it the damage it can cause is more severe just by transitive properties. I am NOT against it. But I need to learn to use the tools modules and scripts I already have on my server before I add more.

No no, it uses netfilter (aka iptables).
 
ipsets does looks quite nice, although my script does exactly what you expect it.
I keep a list.... example:
Code:
41.235.70.2
82.108.152.231
208.78.62.7
216.246.15.228
77.221.130.21
83.137.145.147
83.243.43.86
99.243.92.99
131.203.1.5
131.203.248.1
165.228.100.188

and I execute the script .. then all those IPs are dropped .. no access

I will do some reading on ipset today, as it does look interesting ( http://ipset.netfilter.org/ )

oh also note .. the table banned_ips is the first in my list
Code:
# Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
*raw
:PREROUTING ACCEPT [448717:520779170]
:OUTPUT ACCEPT [284231:46720766]
COMMIT
# Completed on Mon Jul 10 00:40:26 2006
# Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
*nat
:PREROUTING ACCEPT [1:54]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Jul 10 00:40:26 2006
# Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
*mangle
:PREROUTING ACCEPT [232:20562]
:INPUT ACCEPT [264:22944]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [173:34372]
:POSTROUTING ACCEPT [190:35688]
COMMIT
# Completed on Mon Jul 10 00:40:26 2006
# Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
*filter
:INPUT DROP [2:104]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:708]
:bad_packets - [0:0]
:banned_ip - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]

-A INPUT -i lo -j ACCEPT
# default ACCEPT for db3.osuosl.org (the database cluster)
-A INPUT -s 140.211.166.135 -j ACCEPT
-A INPUT -j banned_ip
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
.......... continues from here

hope this helps

edit: wow my fw is 4.5 years old :) I was expecting it to be older .. that must be when I moved hosts the last time :)

Your script works well but it cannot scale without using something like ipset. That is the point. It is inefficient. I cannot say what the breakpoint is as it depends on your CPU etc but you should seriously look at converting it to ipset.
 
initial reading suggests I will still need to maintain a list of IPs, however ipsets seems to eliminate much of the load.

but as has already been mentioned, server load is only an issue once or twice.
I see things like this:
  • bad guys hammers my server (normally port 22 attacking .. boring)
  • bad guy gets put in my banned_ips
  • iptables usage goes up a bit
  • log files get a bit busy (because I log things)
  • bad guy gives up, bad guy CBF anymore
  • server goes quiet again :)
This is on a site that I've run for 10 years that gets truck loads of traffic ( http://mandrivausers.org )
 
Your script works well but it cannot scale without using something like ipset. That is the point. It is inefficient. I cannot say what the breakpoint is as it depends on your CPU etc but you should seriously look at converting it to ipset.
yerp ;) . .reading manuals now :)
 
update (this is untested .. just posting here for the interest of it all :) )
Code:
#!/bin/bash

# first remove the old set, then re-create a clean one
ipset -X bad_guys
ipset -N bad_guys nethash

## All banned IPs are in the file ip_list
#  all you need to do is add to the file
#  then execute this file
#
#  /etc/banned_ips

## Loop through each IP in the array
#  then add the to the bad_guys set

while read ip
do
        ipset -A bad_guys $ip
done < /etc/ip_list


then in my fw script
Code:
 Completed on Mon Jul 10 00:40:26 2006
# Generated by iptables-save v1.3.5 on Mon Jul 10 00:40:26 2006
*filter
:INPUT DROP [2:104]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:708]
:bad_packets - [0:0]
:banned_ip - [0:0]


...... fast forward to the banned_ip table ...............

# You can now add IP addresses to the Array IPS in the file /etc/banned_ips
#
# Then execute the file
# log first, then DROP
-A banned_ip -m set --match-set bad_guys -j LOG --log-prefix "IPT - BANNED ip addresses: "
-A banned_ip -m set --match-set bad_guys -j DROP

this might do it .. I'll do some testing to see how it goes :)
 
Please if you can post some results, I am interested and would like to make myself a tutorial out of anything I learn in this thread.

That's awesome that I made the thread to vent anger but ended up getting legit help anyways LOL
effing Xenforo...I never stop learning here :)
 
I use Shorewall as it makes my life easier. I just create a "blacklist" ipset and then add to /etc/shorewall/blacklist +blacklist. Quick easy and simple. Then whenever I add an IP to the blacklist set I just reissue the command shorewall refresh.
 
Top Bottom