Solved

Urgent - blocking ip address range from hitting linux box

Posted on 2012-03-28
16
374 Views
Last Modified: 2012-03-29
Hello Experts,

We have just been hacked.
The IP address appears to come from the Ukraine.

How can I block a range of IP addresses (ideally I want to block all IPs from outside the UK but I am guessing this is probably very complicated!)

A command I have found using google is:

/sbin/route add -host 192.168.0.123 reject

where the 192... address is the IP to block.

I want to block everything starting on this list:

http://www.nirsoft.net/countryip/ua.html

eg
80.91.160.0  to 80.91.175.255
0
Comment
Question by:jagku
  • 7
  • 2
  • 2
  • +4
16 Comments
 
LVL 12

Expert Comment

by:tgtran
ID: 37778661
route add -net 80.91.160.0 netmask 255.255.240.0 reject
0
 

Author Comment

by:jagku
ID: 37778677
Hello, will this also block all IP address to 80.91.175.255 ?
0
 
LVL 31

Assisted Solution

by:farzanj
farzanj earned 125 total points
ID: 37778681
0
 

Author Comment

by:jagku
ID: 37778872
Hi,

Thank you.
Just want to make sure that I don't do anything wrong (in panic mode!).

Do I execute:

iptables -A -m iprange --src-range 80.91.160.0-80.91.175.255 -j DROP

To block all the ip addresses between 80.91.160.0 to 80.91.175.255?

Thank you for your replies!
0
 
LVL 12

Assisted Solution

by:tgtran
tgtran earned 125 total points
ID: 37778992
iptables -A INPUT -s  80.91.160.0/20 -j DROP
0
 

Author Comment

by:jagku
ID: 37779268
Hi,

Thank you.

How do I adjust it to reject the SSH port only (ie port 22). Do I do this:

iptables -A INPUT --dport 22 -s  80.91.160.0/20 -j DROP

Also, have you got any wiki on how 80.91.160.0/20 translates to '80.91.160.0 to 80.91.175.255'

The common element in my list is that the 3rd part of the ip address (ie 160 and 175 in the above example) has a difference of 15.

Sorry to sound thick but I don't come from a networking background and have been thrown into this by this hacking attempt!
0
 
LVL 27

Expert Comment

by:tliotta
ID: 37779632
It might be emphasized that blocking any addresses at all does not necessarily resolve the problem. Has anybody determined why the 'hack' succeeded in the first place?

Tom
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37780366
is just port 22 your "hacking" problem?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:jagku
ID: 37780467
Hi,

I agree - why the hack succeeded is something that needs to be investigated (ie was it a hack or a disgruntled employee). Port 22 is what they used to get in - so they either SSHed or SFTPed in. All I know is that the unauthorised access eminated from the Ukraine.

I have changed all the passwords and now need to block the full range of IP addresses that try and use port 22 to access the server.

Therefore, if you can send me the command that I need to execute that would be great.

ie is it:

iptables -A INPUT --dport 22 -s  80.91.160.0/20 -j DROP

and then for:
62.16.0.0-62.16.31.255
62.64.64.0-62.64.127.255
62.72.160.0-62.72.191.255

is it...

iptables -A INPUT --dport 22 -s  62.16.0.0/20 -j DROP
iptables -A INPUT --dport 22 -s  62.64.64.0/20 -j DROP
iptables -A INPUT --dport 22 -s  62.72.160.0/20 -j DROP

...respectively.

Many Thanks!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37780575
> .. changed all the passwords and now need to block the full range of IP addresses  ..
if you changed passwords, probably changed access with identity files, and upgraded your ssh to the latest version, I don't see a reason to block specific IP unless your server is subject to a DoS attack
well, it's defence in depth which is always not bad, but is it worth the configuration overhead?

also how did you prove that the hack was due to ssh? did you check logfiles?
are you sure that the hack was not due to vulnerabilities in your web application for example?
0
 
LVL 5

Assisted Solution

by:1ly4me
1ly4me earned 50 total points
ID: 37780653
Hello,
How about just allowing particular IP/subnet to access SSH and block everything else.
#iptables -I INPUT -p tcp ! -s 192.168.0.10 --dport 22 -j REJECT
or
#iptables -I INPUT -p tcp ! -s 192.168.0.0/24 --dport 22 -j REJECT

Open in new window

This command will block all SSH except particular IP or subnet
0
 

Author Comment

by:jagku
ID: 37780771
Hi,

No, I can't accept everything from specific IP ranges as we can be logging in to the server from anywhere in the UK.

Thanks!
0
 
LVL 1

Accepted Solution

by:
bmdobell earned 200 total points
ID: 37781154
unfortunately for yourself simply blocking a countries ip range is not going to solve your problems as the are many open proxies or comprimised computers laying all over  the internet that hackers  use to bypass blanket blocks such as  the one you are  trying to implement. You really need to  sit  down  and work out what theywere after, how exactly they got in and  secure  that problem, what you are  asking for is a bandaid solution that would stop the simplistic hackers from the ukraine but it will do nothing if someone is really after something on your server.

But as your request you need to know your subnets to block those ip ranges  correctly and they are all not /20`s.

62.16.0.0-62.16.31.255   - /19 = block 62.16.0.0/19
62.64.64.0-62.64.127.255 - /18 = block 62.64.64.0/18
62.72.160.0-62.72.191.255 - /19 = block 62.72.160.0/19

Again use iptables commands above to impement these other blocks.

I also suggest you look into brute force protection, after someone has attempted to logon unsucessfully 10 times = 24 hour block then after 3 x 24 hour blocks = permanant blocks.

any other questions just ask.

regards,

Brenton
0
 

Author Comment

by:jagku
ID: 37781193
Hi Brenton,

Thank you - you're absolutely right. I'm looking for a bandaid solution for now (just to give us some breathing space) and then create and implement are property strategy that accounts for the things you mentioned that can piggy back off other servers to access my server.

Just to clarify, do I run the following commands:

iptables -A INPUT --dport 22 -s  62.16.0.0/19 -j DROP
iptables -A INPUT --dport 22 -s  62.64.64.0/18 -j DROP
iptables -A INPUT --dport 22 -s  62.72.160.0/19 -j DROP
iptables -A INPUT --dport 22 -s  80.91.160.0/20 -j DROP

1) To block the relevant ranges accessing the server via port 22?
2) Is there a tool out there where I can enter a range - and it comes back to me with what the subnets are?
3) If you can tell me what the subnet is for: 80.91.176.0-80.91.191.255 that would be great.

Many Thanks everyone for all your help!
0
 
LVL 1

Expert Comment

by:bmdobell
ID: 37781219
there are lots of calulators out there to calculate ssubnets, but they are not very hard to do in your head when you know how to do it.

But yes those commands should do it.

and 80.91.176.0-80.91.191.255 - /20 = 80.91.176.0/20

Regards,

Brenton
0
 

Author Closing Comment

by:jagku
ID: 37781249
Thank you everyone for your help!
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Daily system administration tasks often require administrators to connect remote systems. But allowing these remote systems to accept passwords makes these systems vulnerable to the risk of brute-force password guessing attacks. Furthermore there ar…
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now