Results 1 to 17 of 17
  1. #1

    Should these IPs be in my IPtables Drop list?

    Hi:
    When running:

    /etc/apf/deny_hosts.rules

    along with IPs I've banned using APF, I see the following listed as DROP in iptables:

    Code:
    3    DROP       all  --  10.0.0.0/8           0.0.0.0/0
    4    DROP       all  --  172.16.0.0/12        0.0.0.0/0
    5    DROP       all  --  128.66.0.0/16        0.0.0.0/0
    6    DROP       all  --  192.168.0.0/16       0.0.0.0/0
    7    DROP       all  --  127.0.0.0/8          0.0.0.0/0
    30   DROP       all  --  220.61.144.0/24      0.0.0.0/0
    31   DROP       all  --  207.206.5.0/24       0.0.0.0/0
    32   DROP       all  --  222.55.65.0/24       0.0.0.0/0
    33   DROP       all  --  211.241.144.0/24     0.0.0.0/0
    34   DROP       all  --  209.200.133.0/24     0.0.0.0/0
    35   DROP       all  --  129.219.135.0/24     0.0.0.0/0
    36   DROP       all  --  221.202.129.0/24     0.0.0.0/0
    37   DROP       all  --  80.122.118.0/24      0.0.0.0/0
    38   DROP       all  --  218.23.142.0/24      0.0.0.0/0
    39   DROP       all  --  210.74.232.0/24      0.0.0.0/0
    40   DROP       all  --  218.83.155.0/24      0.0.0.0/0
    41   DROP       all  --  202.67.19.0/24       0.0.0.0/0
    42   DROP       all  --  61.185.142.0/24      0.0.0.0/0
    43   DROP       all  --  202.109.189.0/24     0.0.0.0/0
    44   DROP       all  --  61.152.144.0/24      0.0.0.0/0
    45   DROP       all  --  202.97.174.0/24      0.0.0.0/0
    46   DROP       all  --  202.99.159.0/24      0.0.0.0/0
    47   DROP       all  --  64.122.17.0/24       0.0.0.0/0
    48   DROP       all  --  66.160.191.0/24      0.0.0.0/0
    49   DROP       all  --  61.134.45.0/24       0.0.0.0/0
    Just wondering, are these IP ranges configured by default to be banned by APF? I was just wondering if any of them may be legit and should be unbanned. If so, how would I do that?

    Thanks,
    Last edited by GeorgeC; 07-14-2005 at 12:24 AM.

  2. #2
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    Those could be dshield's ip list, or a anti-dos list, or something else, it is normal for it to add some ips that you didn't though.
    Dan Sheppard ~ Freelance whatever

  3. #3
    Join Date
    Jan 2005
    Posts
    2,175
    Wow, that's a big range of IPs blocked. Personally, I would disable any of those "lists" as it could block legit traffic. I'd rather not take any chances...

  4. #4
    Hi:
    I agree, I don't want to take the chance of blocking legit IPs. Two questions then:

    1) Can you tell me what command I should run in SSH to take an IP off the drop list, specifically, an IP range like 209.200.133.0/24 ?

    2) I don't have anti DOS or brute force installed, just APF. Is there somewhere in APF that causes it to automatically retrieve a list of IPs to ban by default (ie: dshield)? I'd like to stop it from doing that.

    Thanks!

  5. #5
    Join Date
    Jan 2005
    Posts
    2,175
    dshield.org list is in BFD, you could just edit the iptables file in /etc/syconfig/iptable or remove them from the deny_hosts.rules file and then type:


    $ apf -r

    Correct me if I'm wrong, sorta new to this iptables/apf thing

  6. #6
    Hmmm ok thanks. If someone knows anything else to 1) or 2), I'd appreciate that as well.

  7. #7
    Join Date
    Jun 2003
    Posts
    961
    most of those ranges are asian ones (kr,jp,cn), but others seem to be long to verio, he and e.g. some .at isp
    imo you might want to unblock those, just in case those provide legit traffic

  8. #8
    Join Date
    Jan 2005
    Posts
    2,175

  9. #9
    You can edit /etc/apf/conf.apf to change the settings.

    From 3-7 are banned by default, these networks are reserved for private networks. Set BLK_PRVNET="0" if you want the rules removed. You are not blocking anyone with these rules.

    The rest are from dshield.org (check the website) and can be removed if you change USE_DS="0" .

    ... and "apf -r" at the end.

  10. #10
    coderdan, is it a good idea to stop APF from using dshield.org's list? For example, I don't understand why it would ban 48):

    66.160.191.0/24

    That to me looks he a He.net ip range. Gotta be legit right?

  11. #11
    The dhield.org's list contains "Current Most Active Attacking IPs". I didn't experience any legitimate traffic loss. I would use the list. You can whitelist any ip by adding it in /etc/apf/allow_hosts.rules .

  12. #12
    Ok, I just set Anti_DOS in APF's config file to "0" to disable it, and upon restarting APF, I see all the IP ranges above are gone from the drop list:

    iptables -L INPUT -n --line-numbers

    I guess those IPs were blocked by anti dos and not dshield.org after all...

  13. #13
    Ok I spoke too soon. Today when I checked my IPtables, a range of IPs have once again been added to DROP:
    Code:
    30   DROP       all  --  68.68.102.0/24       0.0.0.0/0
    31   DROP       all  --  80.193.5.0/24        0.0.0.0/0
    32   DROP       all  --  211.209.44.0/24      0.0.0.0/0
    33   DROP       all  --  213.202.217.0/24     0.0.0.0/0
    34   DROP       all  --  128.223.54.0/24      0.0.0.0/0
    35   DROP       all  --  61.40.218.0/24       0.0.0.0/0
    36   DROP       all  --  216.28.119.0/24      0.0.0.0/0
    37   DROP       all  --  218.92.50.0/24       0.0.0.0/0
    38   DROP       all  --  195.96.68.0/24       0.0.0.0/0
    39   DROP       all  --  221.12.78.0/24       0.0.0.0/0
    40   DROP       all  --  211.40.49.0/24       0.0.0.0/0
    41   DROP       all  --  80.33.243.0/24       0.0.0.0/0
    42   DROP       all  --  61.152.158.0/24      0.0.0.0/0
    43   DROP       all  --  210.245.165.0/24     0.0.0.0/0
    44   DROP       all  --  140.109.6.0/24       0.0.0.0/0
    45   DROP       all  --  218.83.153.0/24      0.0.0.0/0
    46   DROP       all  --  218.66.104.0/24      0.0.0.0/0
    47   DROP       all  --  66.140.9.0/24        0.0.0.0/0
    48   DROP       all  --  68.126.232.0/24      0.0.0.0/0
    49   DROP       all  --  218.83.155.0/24      0.0.0.0/0
    As mentioned, yesterday, I disabled use_ad in APF and restarted APF. Blocked IP ranged disappeared then. Can anyone with APF and Dshield.org enabled check for me whether they have the above range of Ips blocked in their iptables? I'm just not sure whether I'm blocking legit traffic here.

    Thanks,

  14. #14
    Join Date
    Jun 2003
    Posts
    961
    take a look at "DShield.org Recommended Block List" at http://feeds.dshield.org/block.txt

  15. #15
    Join Date
    Jan 2005
    Posts
    2,175
    you could try to remove those ips in the iptables file. Try iptables -f

  16. #16
    Originally posted by ANewDay
    you could try to remove those ips in the iptables file. Try iptables -f
    Thanks, but flushing the IPtables won't work, since apparently this is something that gets added to by APF daily, probably from the daily cron. I just want to figure out whether these IPs are added by way of dshield.org. I checked dshield's recommended ban list, though non matched the IPs ranges I posted that are currently being dropped in iptables.

  17. #17
    /etc/rc.d/init.d/apf restart
    wget http://feeds.dshield.org/block.txt

    Than check if those ranges are in block.txt.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •