On Tue, 2005-09-06 at 10:19 -0700, Kirk Bocek wrote:
After reading this article:
http://www.theregister.co.uk/2005/08/31/blocking_chinese_ip_addresses/
I got to thinking that there is really no reason for *any* traffic to hit my servers that comes from anywhere outside North America. So I wrote the perl script at the end of this posting to extract selected IP ranges posted at iana.org and convert them into iptables rules blocking any traffic from those ranges.
I'd like comments on this. I know it's not perfect as there are both corporate and 'various registries' address ranges that aren't covered but it's a start. Since my company web site is hosted elsewhere but we are doing the DNS, I put in the exceptions for DNS.
In my ten or so years of administering Linux servers, following the usual security precautions has been sufficient: closing unused ports, keeping up to date on patches, limiting permissions and logins, etc. I've never had a system broken into.
But if I can lessen the bandwidth used up by brute-force password attacks and port scans at the cost of a few CPU cycles, that's a good thing. I've had the new rules up on one server for about half an hour and can see about 10 or so connection attempts from the addresses in question.
What do you think?
Kirk Bocek
#!/usr/bin/perl # # iana-makeiptables.pl # Convert IPv4 Address assignment document from iana.org into # a shell script that will insert iptables rules to block traffic # from selected regional registries. # # Copy the data from: # http://www.iana.org/assignments/ipv4-address-space # and save it to the file in $datafile (here -- iana-assignments.dat) # Then edit the 'my @block' line below to select the registries you want to block # # Sept 6, 2005 Kirk Bocek # use strict;
my $datafile='iana-assignments.dat'; my $outfile='iana-block.sh'; #Registries are ARIN APNIC RIPE LACNIC AfriNIC my @block=qw/APNIC RIPE LACNIC AfriNIC/;
die "Data File $datafile Not Found!" unless -f $datafile; die "Cannot open $outfile for writing!" unless open OUT, ">$outfile"; die "Cannot open $datafile for reading!" unless open DAT, "<$datafile";
print OUT "#!/bin/bash\n"; print OUT "# Blocking traffic from: @block\n"; print OUT "# Generated by iana-makeiptables.pl\n";
foreach (<DAT>) { next unless /^\d{3}/8/; BLOCK: foreach my $reg (@block) { if (/^(\d{3})/8.*$reg/) { my $x=$1; $x=substr($x,1) if substr($x,0,1) eq '0'; #Strip leading zero $x=substr($x,1) if substr($x,0,1) eq '0'; #Might be two of them print OUT 'iptables -I INPUT -s ',$x,".0.0.0/8 -j DROP\n"; last BLOCK; } } }
#Put any exceptions here #For example, I'm allowing DNS traffic print OUT "iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT\n"; print OUT "iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT\n";
close OUT; close DAT; # End of iana-makeiptables.pl
Awesome, added to my todo list.
Regards, Ted