Urgent - blocking ip address range from hitting linux box

Hello Experts,

We have just been hacked.
The IP address appears to come from the Ukraine.

How can I block a range of IP addresses (ideally I want to block all IPs from outside the UK but I am guessing this is probably very complicated!)

A command I have found using google is:

/sbin/route add -host 192.168.0.123 reject

where the 192... address is the IP to block.

I want to block everything starting on this list:

http://www.nirsoft.net/countryip/ua.html

eg
80.91.160.0  to 80.91.175.255
jagkuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TG TranIT guyCommented:
route add -net 80.91.160.0 netmask 255.255.240.0 reject
0
jagkuAuthor Commented:
Hello, will this also block all IP address to 80.91.175.255 ?
0
farzanjCommented:
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

jagkuAuthor Commented:
Hi,

Thank you.
Just want to make sure that I don't do anything wrong (in panic mode!).

Do I execute:

iptables -A -m iprange --src-range 80.91.160.0-80.91.175.255 -j DROP

To block all the ip addresses between 80.91.160.0 to 80.91.175.255?

Thank you for your replies!
0
TG TranIT guyCommented:
iptables -A INPUT -s  80.91.160.0/20 -j DROP
0
jagkuAuthor Commented:
Hi,

Thank you.

How do I adjust it to reject the SSH port only (ie port 22). Do I do this:

iptables -A INPUT --dport 22 -s  80.91.160.0/20 -j DROP

Also, have you got any wiki on how 80.91.160.0/20 translates to '80.91.160.0 to 80.91.175.255'

The common element in my list is that the 3rd part of the ip address (ie 160 and 175 in the above example) has a difference of 15.

Sorry to sound thick but I don't come from a networking background and have been thrown into this by this hacking attempt!
0
tliottaCommented:
It might be emphasized that blocking any addresses at all does not necessarily resolve the problem. Has anybody determined why the 'hack' succeeded in the first place?

Tom
0
ahoffmannCommented:
is just port 22 your "hacking" problem?
0
jagkuAuthor Commented:
Hi,

I agree - why the hack succeeded is something that needs to be investigated (ie was it a hack or a disgruntled employee). Port 22 is what they used to get in - so they either SSHed or SFTPed in. All I know is that the unauthorised access eminated from the Ukraine.

I have changed all the passwords and now need to block the full range of IP addresses that try and use port 22 to access the server.

Therefore, if you can send me the command that I need to execute that would be great.

ie is it:

iptables -A INPUT --dport 22 -s  80.91.160.0/20 -j DROP

and then for:
62.16.0.0-62.16.31.255
62.64.64.0-62.64.127.255
62.72.160.0-62.72.191.255

is it...

iptables -A INPUT --dport 22 -s  62.16.0.0/20 -j DROP
iptables -A INPUT --dport 22 -s  62.64.64.0/20 -j DROP
iptables -A INPUT --dport 22 -s  62.72.160.0/20 -j DROP

...respectively.

Many Thanks!
0
ahoffmannCommented:
> .. changed all the passwords and now need to block the full range of IP addresses  ..
if you changed passwords, probably changed access with identity files, and upgraded your ssh to the latest version, I don't see a reason to block specific IP unless your server is subject to a DoS attack
well, it's defence in depth which is always not bad, but is it worth the configuration overhead?

also how did you prove that the hack was due to ssh? did you check logfiles?
are you sure that the hack was not due to vulnerabilities in your web application for example?
0
1ly4meCommented:
Hello,
How about just allowing particular IP/subnet to access SSH and block everything else.
#iptables -I INPUT -p tcp ! -s 192.168.0.10 --dport 22 -j REJECT
or
#iptables -I INPUT -p tcp ! -s 192.168.0.0/24 --dport 22 -j REJECT

Open in new window

This command will block all SSH except particular IP or subnet
0
jagkuAuthor Commented:
Hi,

No, I can't accept everything from specific IP ranges as we can be logging in to the server from anywhere in the UK.

Thanks!
0
bmdobellCommented:
unfortunately for yourself simply blocking a countries ip range is not going to solve your problems as the are many open proxies or comprimised computers laying all over  the internet that hackers  use to bypass blanket blocks such as  the one you are  trying to implement. You really need to  sit  down  and work out what theywere after, how exactly they got in and  secure  that problem, what you are  asking for is a bandaid solution that would stop the simplistic hackers from the ukraine but it will do nothing if someone is really after something on your server.

But as your request you need to know your subnets to block those ip ranges  correctly and they are all not /20`s.

62.16.0.0-62.16.31.255   - /19 = block 62.16.0.0/19
62.64.64.0-62.64.127.255 - /18 = block 62.64.64.0/18
62.72.160.0-62.72.191.255 - /19 = block 62.72.160.0/19

Again use iptables commands above to impement these other blocks.

I also suggest you look into brute force protection, after someone has attempted to logon unsucessfully 10 times = 24 hour block then after 3 x 24 hour blocks = permanant blocks.

any other questions just ask.

regards,

Brenton
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jagkuAuthor Commented:
Hi Brenton,

Thank you - you're absolutely right. I'm looking for a bandaid solution for now (just to give us some breathing space) and then create and implement are property strategy that accounts for the things you mentioned that can piggy back off other servers to access my server.

Just to clarify, do I run the following commands:

iptables -A INPUT --dport 22 -s  62.16.0.0/19 -j DROP
iptables -A INPUT --dport 22 -s  62.64.64.0/18 -j DROP
iptables -A INPUT --dport 22 -s  62.72.160.0/19 -j DROP
iptables -A INPUT --dport 22 -s  80.91.160.0/20 -j DROP

1) To block the relevant ranges accessing the server via port 22?
2) Is there a tool out there where I can enter a range - and it comes back to me with what the subnets are?
3) If you can tell me what the subnet is for: 80.91.176.0-80.91.191.255 that would be great.

Many Thanks everyone for all your help!
0
bmdobellCommented:
there are lots of calulators out there to calculate ssubnets, but they are not very hard to do in your head when you know how to do it.

But yes those commands should do it.

and 80.91.176.0-80.91.191.255 - /20 = 80.91.176.0/20

Regards,

Brenton
0
jagkuAuthor Commented:
Thank you everyone for your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.