Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Blocking brazilian spammers

[sasha]

It seems that lately the most of dictionary attacks and spam on the servers i look after comes from Brazil. Whatever the reason is, blocking these IP ranges helps a lot in this matter.

/sbin/iptables -I INPUT -s 200.17/16 -j DROP
/sbin/iptables -I INPUT -s 200.18/15 -j DROP
/sbin/iptables -I INPUT -s 200.20/16 -j DROP
/sbin/iptables -I INPUT -s 200.96/13 -j DROP
/sbin/iptables -I INPUT -s 200.128/9 -j DROP
/sbin/iptables -I INPUT -s 201.0/12 -j DROP
/sbin/iptables -I INPUT -s 201.16/12 -j DROP
/sbin/iptables -I INPUT -s 201.32/12 -j DROP
/sbin/iptables -I INPUT -s 201.48/12 -j DROP


It might help someone. I gave up on blocking one IP at time. Next countries I am looking at are Taiwan, Vietnam and China.

[bloodyman]

Thanks for those rules!

[jfnllc]

I just applied them. We'll see how they work!

[Eglis]

wow that is mean

I'd do something more like this, since it's only causing you an " ssh " problem.

Just my point of view

/sbin/iptables -I INPUT -s 200.17/16 -m tcp -p tcp --dport 22 -j DROP
/sbin/iptables -I INPUT -s 200.18/15 -m tcp -p tcp --dport 22 -j DROP
/sbin/iptables -I INPUT -s 200.20/16 -m tcp -p tcp --dport 22 -j DROP
/sbin/iptables -I INPUT -s 200.96/13 -m tcp -p tcp --dport 22 -j DROP
/sbin/iptables -I INPUT -s 200.128/9 -m tcp -p tcp --dport 22 -j DROP
/sbin/iptables -I INPUT -s 201.0/12 -m tcp -p tcp --dport 22 -j DROP
/sbin/iptables -I INPUT -s 201.16/12 -m tcp -p tcp --dport 22 -j DROP
/sbin/iptables -I INPUT -s 201.32/12 -m tcp -p tcp --dport 22 -j DROP
/sbin/iptables -I INPUT -s 201.48/12 -m tcp -p tcp --dport 22 -j DROP

[sasha]

Quote:

Originally Posted by Eglis

wow that is mean

I'd do something more like this, since it's only causing you an " ssh " problem.

Just my point of view

ssh access is restricted and passwords too hard to guess. ssh is just part of the problem, there are daily scans from those IPs for known holes in scripts and every once in a while when hole is found they upload script and try sending email. i cannot watch erery single script clients upload. mail , ssh , http passwords, even horde and cpanel are hit. Only way to stop it is to block any access from those ips. again, brazil is only part of the problem, there are few more countries that have no decent regulation about internet access and there is no benefit to my clients from having people in those countries access these servers. their credit cards are fake and there is no way to take any legal action against them. i believe that only way to get those goverments and isps to take any action is to cut them off.

[bloodyman]

I do agree with sasha.

[Blapto]

Exactly how many is a brazillion?

[EduardoNunes]

I disagree with sasha, blocking many innocent people that are inside a CIDR block is never a good option.

You can instead use a IDS (Intrusion Detection System) technology to prevent yourself from being attacked by also blocking the attacks from offenders.

I like to use (and I do recommend using) sshblacklist (google for it), it is a very simple Perl script which you can adapt to many uses; some I can give a hint:

sshblacklist main use is to monitor your ssh log for failed passwords and then block the offender IP after some pre-defined login failures, for as long as you want, using anything from iptables|ipfw|your_own_script. Plus it will send you an email alert, so you know actions had been taken against who.

The Best thing about sshblacklist is that you can easily adapt to monitor log files from cpanel, apache, pop3, imap, smtp, ftp, irc, any service that you wish! Using RegEx to match the failure line sshblacklist will get the offender IP and run the command you set.

This way you will be protected from any attack coming from anywhere in the world, and has no need to worry about blocking CIDRs anymore!!

A cool smtp use I make is dropping all packets from a server I reject receiving a message from. This prevents a spammer delivering a later spam that could somehow bypass the filters, annoys them having emails which never deliver plus saves my cpu and logs resources!

Best Regards from Brazil!

[StevenG]

The OP mentioned spammers, so not sure what this has to do with ssh guys

Anyway, does seem a bit brutal to ban all those ranges completely..

[EduardoNunes]

The OP also mentioned dictionary attacks (which includes ssh too! )..

As for the spam, one can setup postfix to log a keyword when it flags a spam and adapt sshblacklist to take firewall actions against the postfix logged keyword.. it is one of many ideas...

I also developed one simple mail filter for postfix which can help preventing unwanted email, feel free to google for mail_from_check.sh and my name.

Best Regards!

[Bo | TMZhosting]

It just depends on what kind of "attacks" are coming. If it is dictionary attacks (which does indeed use ssh sometimes) blocking a range of IPs that have been logged is a good idea. Blocking an entire range can backfire in many ways.

I always prefer a properly configured CISCO NAT with a few security scripts.

-Eduardo I am going to try that sshblacklist script and see how it works, props for that