Results 1 to 17 of 17
-
07-14-2005, 12:15 AM #1Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,015
Should these IPs be in my IPtables Drop list?
Hi:
When running:
/etc/apf/deny_hosts.rules
along with IPs I've banned using APF, I see the following listed as DROP in iptables:
Code:3 DROP all -- 10.0.0.0/8 0.0.0.0/0 4 DROP all -- 172.16.0.0/12 0.0.0.0/0 5 DROP all -- 128.66.0.0/16 0.0.0.0/0 6 DROP all -- 192.168.0.0/16 0.0.0.0/0 7 DROP all -- 127.0.0.0/8 0.0.0.0/0 30 DROP all -- 220.61.144.0/24 0.0.0.0/0 31 DROP all -- 207.206.5.0/24 0.0.0.0/0 32 DROP all -- 222.55.65.0/24 0.0.0.0/0 33 DROP all -- 211.241.144.0/24 0.0.0.0/0 34 DROP all -- 209.200.133.0/24 0.0.0.0/0 35 DROP all -- 129.219.135.0/24 0.0.0.0/0 36 DROP all -- 221.202.129.0/24 0.0.0.0/0 37 DROP all -- 80.122.118.0/24 0.0.0.0/0 38 DROP all -- 218.23.142.0/24 0.0.0.0/0 39 DROP all -- 210.74.232.0/24 0.0.0.0/0 40 DROP all -- 218.83.155.0/24 0.0.0.0/0 41 DROP all -- 202.67.19.0/24 0.0.0.0/0 42 DROP all -- 61.185.142.0/24 0.0.0.0/0 43 DROP all -- 202.109.189.0/24 0.0.0.0/0 44 DROP all -- 61.152.144.0/24 0.0.0.0/0 45 DROP all -- 202.97.174.0/24 0.0.0.0/0 46 DROP all -- 202.99.159.0/24 0.0.0.0/0 47 DROP all -- 64.122.17.0/24 0.0.0.0/0 48 DROP all -- 66.160.191.0/24 0.0.0.0/0 49 DROP all -- 61.134.45.0/24 0.0.0.0/0
Thanks,Last edited by GeorgeC; 07-14-2005 at 12:24 AM.
-
07-14-2005, 10:38 AM #2Web Hosting Master
- Join Date
- Dec 2002
- Location
- The Shadows
- Posts
- 2,925
Those could be dshield's ip list, or a anti-dos list, or something else, it is normal for it to add some ips that you didn't though.
Dan Sheppard ~ Freelance whatever
-
07-14-2005, 05:18 PM #3Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
Wow, that's a big range of IPs blocked. Personally, I would disable any of those "lists" as it could block legit traffic. I'd rather not take any chances...
-
07-14-2005, 05:26 PM #4Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,015
Hi:
I agree, I don't want to take the chance of blocking legit IPs. Two questions then:
1) Can you tell me what command I should run in SSH to take an IP off the drop list, specifically, an IP range like 209.200.133.0/24 ?
2) I don't have anti DOS or brute force installed, just APF. Is there somewhere in APF that causes it to automatically retrieve a list of IPs to ban by default (ie: dshield)? I'd like to stop it from doing that.
Thanks!
-
07-14-2005, 05:31 PM #5Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
dshield.org list is in BFD, you could just edit the iptables file in /etc/syconfig/iptable or remove them from the deny_hosts.rules file and then type:
$ apf -r
Correct me if I'm wrong, sorta new to this iptables/apf thing
-
07-14-2005, 05:40 PM #6Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,015
Hmmm ok thanks. If someone knows anything else to 1) or 2), I'd appreciate that as well.
-
07-14-2005, 05:40 PM #7Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 976
most of those ranges are asian ones (kr,jp,cn), but others seem to be long to verio, he and e.g. some .at isp
imo you might want to unblock those, just in case those provide legit traffic
-
07-14-2005, 05:46 PM #8Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
easybyte, check this topic:
http://www.webhostingtalk.com/showth...hreadid=418979
-
07-14-2005, 05:46 PM #9Junior Guru Wannabe
- Join Date
- Jun 2005
- Posts
- 46
You can edit /etc/apf/conf.apf to change the settings.
From 3-7 are banned by default, these networks are reserved for private networks. Set BLK_PRVNET="0" if you want the rules removed. You are not blocking anyone with these rules.
The rest are from dshield.org (check the website) and can be removed if you change USE_DS="0" .
... and "apf -r" at the end.
-
07-14-2005, 05:59 PM #10Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,015
coderdan, is it a good idea to stop APF from using dshield.org's list? For example, I don't understand why it would ban 48):
66.160.191.0/24
That to me looks he a He.net ip range. Gotta be legit right?
-
07-14-2005, 06:06 PM #11Junior Guru Wannabe
- Join Date
- Jun 2005
- Posts
- 46
The dhield.org's list contains "Current Most Active Attacking IPs". I didn't experience any legitimate traffic loss. I would use the list. You can whitelist any ip by adding it in /etc/apf/allow_hosts.rules .
-
07-14-2005, 06:34 PM #12Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,015
Ok, I just set Anti_DOS in APF's config file to "0" to disable it, and upon restarting APF, I see all the IP ranges above are gone from the drop list:
iptables -L INPUT -n --line-numbers
I guess those IPs were blocked by anti dos and not dshield.org after all...
-
07-15-2005, 02:21 PM #13Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,015
Ok I spoke too soon. Today when I checked my IPtables, a range of IPs have once again been added to DROP:
Code:30 DROP all -- 68.68.102.0/24 0.0.0.0/0 31 DROP all -- 80.193.5.0/24 0.0.0.0/0 32 DROP all -- 211.209.44.0/24 0.0.0.0/0 33 DROP all -- 213.202.217.0/24 0.0.0.0/0 34 DROP all -- 128.223.54.0/24 0.0.0.0/0 35 DROP all -- 61.40.218.0/24 0.0.0.0/0 36 DROP all -- 216.28.119.0/24 0.0.0.0/0 37 DROP all -- 218.92.50.0/24 0.0.0.0/0 38 DROP all -- 195.96.68.0/24 0.0.0.0/0 39 DROP all -- 221.12.78.0/24 0.0.0.0/0 40 DROP all -- 211.40.49.0/24 0.0.0.0/0 41 DROP all -- 80.33.243.0/24 0.0.0.0/0 42 DROP all -- 61.152.158.0/24 0.0.0.0/0 43 DROP all -- 210.245.165.0/24 0.0.0.0/0 44 DROP all -- 140.109.6.0/24 0.0.0.0/0 45 DROP all -- 218.83.153.0/24 0.0.0.0/0 46 DROP all -- 218.66.104.0/24 0.0.0.0/0 47 DROP all -- 66.140.9.0/24 0.0.0.0/0 48 DROP all -- 68.126.232.0/24 0.0.0.0/0 49 DROP all -- 218.83.155.0/24 0.0.0.0/0
Thanks,
-
07-15-2005, 03:30 PM #14Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 976
take a look at "DShield.org Recommended Block List" at http://feeds.dshield.org/block.txt
-
07-15-2005, 04:15 PM #15Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
you could try to remove those ips in the iptables file. Try iptables -f
-
07-15-2005, 06:36 PM #16Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,015
Originally posted by ANewDay
you could try to remove those ips in the iptables file. Try iptables -f
-
07-16-2005, 07:52 AM #17Junior Guru Wannabe
- Join Date
- Jun 2005
- Posts
- 46
/etc/rc.d/init.d/apf restart
wget http://feeds.dshield.org/block.txt
Than check if those ranges are in block.txt.