Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hosting Security and Technology Tutorials : Blocking entire countries with KISS

[the-muse]

Hello Forum Members -
I'm using the KISS Firewall Script (configured for cPanel by Dragon Networks) on two servers at Dragon Networks. Love the script.

I'd like to know how to block the entire country of China (for starters) using the KISS Firewall script. As presently configured, there are no IPs in BLOCK_LIST="".

I've read quite a bit here and at other forums about the futility of trying to do this. Some obstacles to this goal include:
1) Difficulty in verifying the authenticity of a problem IP (an IP may be spoofed). For example, I have two clients on one of my servers who continue to receive the MUGU spamming of their guestbooks. The guestbook script they use allows for banning of individual IP addresses. However, there are so many coming from (apparently) the same range, that I'd like to stop the entire IP block from reaching the server. Case in point:

A whois lookup at APNIC shows:
inetnum: 219.128.253.96 - 219.128.253.99
netname: HUANGQI-DKX-NETBAR
descr: HUANGQI DINGKAIXIN NETBAR
country: CN
-----
I'd like to block, for starters, 219.128.253.96 - 219.128.253.99 using the KISS Firewall.

Does anyone know the best way to do this, if it's possible? It's not a large range, but I would use it as a starting place to see if it's effective. If so, I would find all the other ranges from China and add them later.

Until China makes an effort to prevent this kind of abuse orginating from their country, their citizens can do without my clients' websites.

Best wishes,
the-muse

p.s. hi SoftWareRevue. Long time!

[apollo]

You can also block with iptables....by one IP

219.128.253.96
219.128.253.97
219.128.253.98
219.128.253.99

for example:


/sbin/iptables -A INPUT -p tcp -s 219.128.253.96/32 -j DROP
/sbin/iptables -A INPUT -p udp -s 219.128.253.96/32 -j DROP

Will drop udp/tcp traffic to your box from 219.128.253.96

[the-muse]

Hello apollo,
Thanks for the tip. I've known about the method you suggest from prior research. I'm under the impression that the KISS firewall script uses the iptables for blocking IPs, and to configure iptables manually would be "redundant" so to speak. It's my impression, after installing the KISS script, that I would be better off doing all this kind of configuring from the KISS script itself.

To better clarify my question, what I really need to know is if there is any way I can determine that the IP range I am blocking is in fact the "spammer" or potential "hacker".

Let's say I configure KISS to block 219.128.253.96/32, thinking I am effective blocking someone in China, but that IP is actually being spoofed by some anonymous user in the Netherlands. How does one get to the bottom of it to find the actual violator?

My research so far seems to indicate it's almost an impossible task.

Merry Christmas and Happy New Year (to all),

the-muse

[apollo]

a real tcp connection can't be spoofed easily.... syn flood, for example, can be easily spoofed with random return addresses.. but the 'handshake' never happens.. if you get established TCP connections from that ip/server/workstation then it's a real connection.
Another question is if that box is already exploited or running some trojan, but that's another story....

[the-muse]

Hi apollo,

Quote:

Another question is if that box is already exploited or running some trojan, but that's another story....

No. This KISS script, rkhunter and checkrootkit have proven to be an effective control / monitor system.

From what I conclude from your post is to go ahead and enter in the BLOCK_IPS list of the KISS script what I assume to be IPs from (for example) China, and trust that those IPs are in fact from China.

I'll give it a try. I plan on blocking entire ranges from China, Korea, Indonesia and a few other problem countries.

Thanks for your input.

the-muse