Results 1 to 8 of 8
  1. #1
    Join Date
    Aug 2001
    Posts
    87

    great rc.firewall of China

    Just about every night now, PortSentry informs me that someone from some IP in China and/or India is attempting to fondle my system, for example:

    Code:
    **Unmached entries**
    3 Time(s): attackalert: Connect from host:
          61.174.142.124/61.174.142.124 to TCP port: 1
    6 Time(s): attackalert:  Connect from host: 
         61.54.16.6/61.54.16.6 to TCP port: 111
    8 Time(s): attackalert: Connect from host:
         61.11.56.12/61.11.56.12 to TCP port: 111
    Not to mention several other 'IN_TCP DROP' instances from similar IPs.

    So let's say I want to block ALL traffic from 61.174.0.0 - 61.174.7.255 (Zhejiang Telecom)? I know I can modify /etc/hosts.deny with the entry ALL:61.174. but I don't even want a ping from these guys.

    So here is the killer question, is the correct IPTables syntax:
    Code:
    /sbin/iptables -I INPUT -s 61.174.0.0/255.0.0.0 -j DROP
    or is it:
    Code:
    /sbin/iptables -I INPUT -s 61.174.0.0/8 -j DROP
    Inquiring minds want to know. I'd also like to know if there is some form of a blackhole list hosts.deny and/or rc.firewall I can peruse ... you know, so I can lie to myself about being proactive about security.

  2. #2
    Greetings:

    I use the latter, but the former should work as well.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  3. #3
    Code:
    /sbin/iptables -I INPUT -s 61.174.0.0/24 -j DROP
    Try that instead if you want to block a whole Class C.
    CLIHosting.com - Affordable, quality web and MUD hosting.

  4. #4
    Join Date
    Jun 2003
    Posts
    673
    To block 61.174.0.0 - 61.174.7.255, you need to use 61.174.0.0/21 or 61.174.0.0/255.255.248.0 (the first notation is cooler though). 61.174.0.0/8 would block all addresses with a first octet of 61 (this may not necessarily be a bad thing).

  5. #5
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    if you are using a firewall such as apf it will overwrite your settings
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  6. #6
    Join Date
    Mar 2004
    Location
    Venezuela
    Posts
    79
    Report them.

    Chinese hackers get the death penalty

  7. #7
    Join Date
    Nov 2002
    Posts
    202
    Originally posted by Maquiavelo
    Report them.

    Chinese hackers get the death penalty
    lol harsh

  8. #8
    Join Date
    Feb 2004
    Posts
    772
    Hi,

    The second option of Iptables is exact. There is also a simpler way for ignoring the "ICMP" packets

    # cat 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all.

    add this line to /etc/rc.d/rc.local file so that each time the system boots the settings gets effected.

    Regards,

    Bright
    24 / 7 Technical Support
    Bright Info Solutions

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •