CentOS - Sep 2005 - Paranoid Firewalling

After reading this article:

http://www.theregister.co.uk/2005/08/31/blocking_chinese_ip_addresses/

I got to thinking that there is really no reason for *any* traffic to 
hit my servers that comes from anywhere outside North America. So I 
wrote the perl script at the end of this posting to extract selected IP 
ranges posted at iana.org and convert them into iptables rules blocking 
any traffic from those ranges.

I'd like comments on this. I know it's not perfect as there are both 
corporate and 'various registries' address ranges that aren't
covered
but it's a start. Since my company web site is hosted elsewhere but we 
are doing the DNS, I put in the exceptions for DNS.

In my ten or so years of administering Linux servers, following the 
usual security precautions has been sufficient: closing unused ports, 
keeping up to date on patches, limiting permissions and logins, etc. 
I've never had a system broken into.

But if I can lessen the bandwidth used up by brute-force password 
attacks and port scans at the cost of a few CPU cycles, that's a good 
thing. I've had the new rules up on one server for about half an hour 
and can see about 10 or so connection attempts from the addresses in 
question.

What do you think?

Kirk Bocek


#!/usr/bin/perl
#
# iana-makeiptables.pl
# Convert IPv4 Address assignment document from iana.org into
# a shell script that will insert iptables rules to block traffic
# from selected regional registries.
#
# Copy the data from:
#       http://www.iana.org/assignments/ipv4-address-space
# and save it to the file in $datafile (here -- iana-assignments.dat)
# Then edit the 'my @block' line below to select the registries you want
to block
#
# Sept 6, 2005 Kirk Bocek
#
use strict;

my $datafile='iana-assignments.dat';
my $outfile='iana-block.sh';
#Registries are ARIN APNIC RIPE LACNIC AfriNIC
my @block=qw/APNIC RIPE LACNIC AfriNIC/;

die "Data File $datafile Not Found!" unless -f $datafile;
die "Cannot open $outfile for writing!" unless
         open OUT, ">$outfile";
die "Cannot open $datafile for reading!" unless
         open DAT, "<$datafile";

print OUT "#!/bin/bash\n";
print OUT "# Blocking traffic from: @block\n";
print OUT "# Generated by iana-makeiptables.pl\n";

foreach (<DAT>) {
         next unless /^\d{3}\/8/;
         BLOCK: foreach my $reg (@block) {
                 if (/^(\d{3})\/8.*$reg/) {
                         my $x=$1;
                         $x=substr($x,1) if substr($x,0,1) eq '0'; 
#Strip leading zero
                         $x=substr($x,1) if substr($x,0,1) eq '0'; 
#Might be two of them
                         print OUT 'iptables -I INPUT -s
',$x,".0.0.0/8
-j DROP\n";
                         last BLOCK;
                 }
         }
}

#Put any exceptions here
#For example, I'm allowing DNS traffic
print OUT "iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT\n";
print OUT "iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT\n";


close OUT;
close DAT;
# End of iana-makeiptables.pl

On Tue, 2005-09-06 at 13:19, Kirk Bocek wrote:
> After reading this article:
> 
> http://www.theregister.co.uk/2005/08/31/blocking_chinese_ip_addresses/
> 
> I got to thinking that there is really no reason for *any* traffic to 
> hit my servers that comes from anywhere outside North America. So I 
> wrote the perl script at the end of this posting to extract selected IP 
> ranges posted at iana.org and convert them into iptables rules blocking 
> any traffic from those ranges.
> In my ten or so years of administering Linux servers, following the 
> usual security precautions has been sufficient: closing unused ports, 
> keeping up to date on patches, limiting permissions and logins, etc. 
> I've never had a system broken into.
> 
> But if I can lessen the bandwidth used up by brute-force password 
> attacks and port scans at the cost of a few CPU cycles, that's a good 
> thing. I've had the new rules up on one server for about half an hour 
> and can see about 10 or so connection attempts from the addresses in 
> question.
> 
> What do you think?
Actually this won't reduce any bandwidth to your server.  The probes
still hit that address, you are just blocking those packets in iptables
from begin able to get any further.  

If you could implement this further up the line then you could reduce
traffic to your servers.

Putting a blanket deny on traffic from specific IP ranges is effective
if attacks are coming from those ranges.  The problem is that hackers
will typically want to use an intermediate site to launch an actual
attack from.  This makes it harder to trace the actual source of the
attack.  At least good hackers do this.  Script kiddies don't know to do
this.  

As such I am not convinced this provides that much protection in the
long run.  But if this is something you see in your log files and have
no need to have users from those address blocks access your site then
IMHO you have the right to block those addresses.  Just don't expect it
to reduce the traffic hitting your server unless you block it at a
router further up the line.

On Tue, 2005-09-06 at 10:19 -0700, Kirk Bocek wrote:
> After reading this article:
> 
> http://www.theregister.co.uk/2005/08/31/blocking_chinese_ip_addresses/
> 
> I got to thinking that there is really no reason for *any* traffic to 
> hit my servers that comes from anywhere outside North America. So I 
> wrote the perl script at the end of this posting to extract selected IP 
> ranges posted at iana.org and convert them into iptables rules blocking 
> any traffic from those ranges.
> 
> I'd like comments on this. I know it's not perfect as there are
both
> corporate and 'various registries' address ranges that aren't
covered
> but it's a start. Since my company web site is hosted elsewhere but we 
> are doing the DNS, I put in the exceptions for DNS.
> 
> In my ten or so years of administering Linux servers, following the 
> usual security precautions has been sufficient: closing unused ports, 
> keeping up to date on patches, limiting permissions and logins, etc. 
> I've never had a system broken into.
> 
> But if I can lessen the bandwidth used up by brute-force password 
> attacks and port scans at the cost of a few CPU cycles, that's a good 
> thing. I've had the new rules up on one server for about half an hour 
> and can see about 10 or so connection attempts from the addresses in 
> question.
> 
> What do you think?
> 
> Kirk Bocek
> 
> 
> #!/usr/bin/perl
> #
> # iana-makeiptables.pl
> # Convert IPv4 Address assignment document from iana.org into
> # a shell script that will insert iptables rules to block traffic
> # from selected regional registries.
> #
> # Copy the data from:
> #       http://www.iana.org/assignments/ipv4-address-space
> # and save it to the file in $datafile (here -- iana-assignments.dat)
> # Then edit the 'my @block' line below to select the registries you
want
> to block
> #
> # Sept 6, 2005 Kirk Bocek
> #
> use strict;
> 
> my $datafile='iana-assignments.dat';
> my $outfile='iana-block.sh';
> #Registries are ARIN APNIC RIPE LACNIC AfriNIC
> my @block=qw/APNIC RIPE LACNIC AfriNIC/;
> 
> die "Data File $datafile Not Found!" unless -f $datafile;
> die "Cannot open $outfile for writing!" unless
>          open OUT, ">$outfile";
> die "Cannot open $datafile for reading!" unless
>          open DAT, "<$datafile";
> 
> print OUT "#!/bin/bash\n";
> print OUT "# Blocking traffic from: @block\n";
> print OUT "# Generated by iana-makeiptables.pl\n";
> 
> foreach (<DAT>) {
>          next unless /^\d{3}\/8/;
>          BLOCK: foreach my $reg (@block) {
>                  if (/^(\d{3})\/8.*$reg/) {
>                          my $x=$1;
>                          $x=substr($x,1) if substr($x,0,1) eq '0'; 
> #Strip leading zero
>                          $x=substr($x,1) if substr($x,0,1) eq '0'; 
> #Might be two of them
>                          print OUT 'iptables -I INPUT -s
',$x,".0.0.0/8
> -j DROP\n";
>                          last BLOCK;
>                  }
>          }
> }
> 
> #Put any exceptions here
> #For example, I'm allowing DNS traffic
> print OUT "iptables -I INPUT -p tcp -m tcp --dport 53 -j
ACCEPT\n";
> print OUT "iptables -I INPUT -p udp -m udp --dport 53 -j
ACCEPT\n";
> 
> 
> close OUT;
> close DAT;
> # End of iana-makeiptables.pl
> 
> 
> _______________________________________________
Awesome, added to my todo list.

Regards,
Ted

It will reduce bandwidth, not all, maybe not much, but unestablished TCP
connections take less bandwidth than established, with most of the
bandwidth being used by the protocol data on top of the established
session (even if its just a reject).

Nelson

Kirk Bocek wrote:
> After reading this article:
>
> http://www.theregister.co.uk/2005/08/31/blocking_chinese_ip_addresses/
>
> I got to thinking that there is really no reason for *any* traffic to 
> hit my servers that comes from anywhere outside North America. So I 
> wrote the perl script at the end of this posting to extract selected 
> IP ranges posted at iana.org and convert them into iptables rules 
> blocking any traffic from those ranges.
Sure! Greetings from Holland (The Netherlands) by the way.

As an entrepreneur my company is doing business all over the world. 
Simply blocking the "Rest of the world" is a foolish thing. That means
that somebody from India (a lot of US and European countries are running 
their operations from that country). As far as I can read your script, 
even an e-mail from India or Europe would not get through (It blocks a 
lot of spam *grin* but also business opportunities.

My strategy is to block anything with a login-prompt except for hosts 
which are on my local network or connect via a VPN. So I've disabled 
telnet (port 23) and SSH (port 22) is only allowed from my local network 
or from users connected through the VPN. I run an FTP server on almost 
al my servers, but the only one reachable from the Internet is a CentOS 
mirror you can use anonymously. DNS, http(s) and smtp traffic is allowed 
by my firewall to the servers. The rest is blocked.
>
> I'd like comments on this. I know it's not perfect as there are
both
> corporate and 'various registries' address ranges that aren't
covered
> but it's a start. Since my company web site is hosted elsewhere but we 
> are doing the DNS, I put in the exceptions for DNS.
>
START with the DNS exeptions..... You are now also blocking DNS requests 
(and also the DNS requests to get your MX records) from the rest of the 
world. And what about SMTP traffic from the rest of the world?
> In my ten or so years of administering Linux servers, following the 
> usual security precautions has been sufficient: closing unused ports, 
> keeping up to date on patches, limiting permissions and logins, etc. 
> I've never had a system broken into.
>
> But if I can lessen the bandwidth used up by brute-force password 
> attacks and port scans at the cost of a few CPU cycles, that's a good 
> thing. I've had the new rules up on one server for about half an hour 
> and can see about 10 or so connection attempts from the addresses in 
> question.
>
> What do you think?
>
> Kirk Bocek
>
> (...)
>
Thom