Just about every night now, PortSentry informs me that someone from some IP in China and/or India is attempting to fondle my system, for example:
3 Time(s): attackalert: Connect from host:
188.8.131.52/184.108.40.206 to TCP port: 1
6 Time(s): attackalert: Connect from host:
220.127.116.11/18.104.22.168 to TCP port: 111
8 Time(s): attackalert: Connect from host:
22.214.171.124/126.96.36.199 to TCP port: 111
Not to mention several other 'IN_TCP DROP' instances from similar IPs.
So let's say I want to block ALL traffic from 188.8.131.52 - 184.108.40.206 (Zhejiang Telecom)? I know I can modify /etc/hosts.deny with the entry ALL:61.174. but I don't even want a ping from these guys.
So here is the killer question, is the correct IPTables syntax:
/sbin/iptables -I INPUT -s 220.127.116.11/255.0.0.0 -j DROP
or is it:
/sbin/iptables -I INPUT -s 18.104.22.168/8 -j DROP
Inquiring minds want to know. I'd also like to know if there is some form of a blackhole list hosts.deny and/or rc.firewall I can peruse ... you know, so I can lie to myself about being proactive about security.
To block 22.214.171.124 - 126.96.36.199, you need to use 188.8.131.52/21 or 184.108.40.206/255.255.248.0 (the first notation is cooler though). 220.127.116.11/8 would block all addresses with a first octet of 61 (this may not necessarily be a bad thing).