[CentOS] Paranoid Firewalling

Tue Sep 6 18:07:55 UTC 2005
Scot L. Harris <webid at cfl.rr.com>

On Tue, 2005-09-06 at 13:19, Kirk Bocek wrote:
> After reading this article:
> 
> http://www.theregister.co.uk/2005/08/31/blocking_chinese_ip_addresses/
> 
> I got to thinking that there is really no reason for *any* traffic to 
> hit my servers that comes from anywhere outside North America. So I 
> wrote the perl script at the end of this posting to extract selected IP 
> ranges posted at iana.org and convert them into iptables rules blocking 
> any traffic from those ranges.

> In my ten or so years of administering Linux servers, following the 
> usual security precautions has been sufficient: closing unused ports, 
> keeping up to date on patches, limiting permissions and logins, etc. 
> I've never had a system broken into.
> 
> But if I can lessen the bandwidth used up by brute-force password 
> attacks and port scans at the cost of a few CPU cycles, that's a good 
> thing. I've had the new rules up on one server for about half an hour 
> and can see about 10 or so connection attempts from the addresses in 
> question.
> 
> What do you think?

Actually this won't reduce any bandwidth to your server.  The probes
still hit that address, you are just blocking those packets in iptables
from begin able to get any further.  

If you could implement this further up the line then you could reduce
traffic to your servers.

Putting a blanket deny on traffic from specific IP ranges is effective
if attacks are coming from those ranges.  The problem is that hackers
will typically want to use an intermediate site to launch an actual
attack from.  This makes it harder to trace the actual source of the
attack.  At least good hackers do this.  Script kiddies don't know to do
this.  

As such I am not convinced this provides that much protection in the
long run.  But if this is something you see in your log files and have
no need to have users from those address blocks access your site then
IMHO you have the right to block those addresses.  Just don't expect it
to reduce the traffic hitting your server unless you block it at a
router further up the line.