I got tired of people from other countries trying to make an anonymous
SIP call through my SIP box and other senseless attacks on Shorewall, so
I wrote a script that added entire countries to the blacklist. I don''t
know anybody in these countries so I wasn''t worried about blocking
access to anything from my home. I can initiate connections out and
complete them, it just drops connections originating from these ranges.
The script condenses IP scopes to limit the blacklist somewhat. It''s
running very well right now on a box with 256M of memory.
-----------This is in /etc/cron.weekly-------------------------
#!/bin/sh
#
# cron.d/shorewall -- update blacklist and restart
#
IP=/usr/local/bin/ip_blacklist.sh
SHOREWALL=/sbin/shorewall
test -x $IP || exit 1
test -x $SHOREWALL || exit 1
$IP && $SHOREWALL refresh
----------This is /usr/local/bin/ip_blacklist.sh----------------
#!/bin/sh
# More country IP blocks available at
# http://www.countryipblocks.net/country-blocks/cidr/
# Make sure the next line is 1 line
URL="http://www.countryipblocks.net/e_country_data/RO_cidr.txt
http://www.countryipblocks.net/e_country_data/RU_cidr.txt
http://www.countryipblocks.net/e_country_data/KR_cidr.txt
http://www.countryipblocks.net/e_country_data/CN_cidr.txt"
FILE=/tmp/blacklist.txt
WGET=$(which wget)
SED=$(which sed)
GREP=$(which grep)
SORT=$(which sort)
AGGREGATE=$(which aggregate)
BLACKLIST="/etc/shorewall/blacklist"
DATE=$(date)
test x$WGET = x && echo $0 requires wget && exit 1
test x$SED = x && echo $0 requires sed && exit 1
test x$AGGREGATE = x && echo $0 requires aggregate (apt-get install
aggregate) && exit 1
test x$SORT = x && echo $0 requires sort && exit 1
BEGINNING="#ADDRESS/SUBNET PROTOCOL PORT"
ENDING="#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE"
cd /tmp
test -f $FILE && rm $FILE
$($WGET -q $URL -O $FILE)
echo $BEGINNING > $BLACKLIST
echo "#Downloaded: " $DATE >> $BLACKLIST
$GREP "^#" $FILE >> $BLACKLIST
cat $FILE|$GREP -v ^#| $SORT -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n \
|$AGGREGATE -t -q >> $BLACKLIST
echo $ENDING >> $BLACKLIST
----------------------------------------------------------------------
Any feedback or comments are greatly appreciated.
Sean
--
If all printers were determined not to print anything
till they were sure it would offend nobody, there would
be very little printed. - Benjamin Franklin
------------------------------------------------------------------------------
10 Tips for Better Server Consolidation
Server virtualization is being driven by many needs.
But none more important than the need to reduce IT complexity
while improving strategic productivity. Learn More!
http://www.accelacomm.com/jaw/sdnl/114/51507609/
Thanks Sean for the script - I have the same problem with hackers trying to access my asterisks SIP server. I do it a bit differently, I scan the asterisk log file and add the offenders to the shorewall dynamic black list. Attached the script I use of course this only work if you use Asterisk :) I run it every few minutes in cron Bill On 12/15/2011 09:27 AM, Sean Whitney wrote:> I got tired of people from other countries trying to make an anonymous > SIP call through my SIP box and other senseless attacks on Shorewall, so > I wrote a script that added entire countries to the blacklist. I don''t > know anybody in these countries so I wasn''t worried about blocking > access to anything from my home. I can initiate connections out and > complete them, it just drops connections originating from these ranges. > The script condenses IP scopes to limit the blacklist somewhat. It''s > running very well right now on a box with 256M of memory. > > -----------This is in /etc/cron.weekly------------------------- > #!/bin/sh > # > # cron.d/shorewall -- update blacklist and restart > # > > IP=/usr/local/bin/ip_blacklist.sh > SHOREWALL=/sbin/shorewall > > test -x $IP || exit 1 > test -x $SHOREWALL || exit 1 > > $IP&& $SHOREWALL refresh > > > ----------This is /usr/local/bin/ip_blacklist.sh---------------- > #!/bin/sh > > # More country IP blocks available at > # http://www.countryipblocks.net/country-blocks/cidr/ > # Make sure the next line is 1 line > URL="http://www.countryipblocks.net/e_country_data/RO_cidr.txt > http://www.countryipblocks.net/e_country_data/RU_cidr.txt > http://www.countryipblocks.net/e_country_data/KR_cidr.txt > http://www.countryipblocks.net/e_country_data/CN_cidr.txt" > > FILE=/tmp/blacklist.txt > WGET=$(which wget) > SED=$(which sed) > GREP=$(which grep) > SORT=$(which sort) > AGGREGATE=$(which aggregate) > BLACKLIST="/etc/shorewall/blacklist" > DATE=$(date) > test x$WGET = x&& echo $0 requires wget&& exit 1 > test x$SED = x&& echo $0 requires sed&& exit 1 > test x$AGGREGATE = x&& echo $0 requires aggregate (apt-get install > aggregate)&& exit 1 > test x$SORT = x&& echo $0 requires sort&& exit 1 > > BEGINNING="#ADDRESS/SUBNET PROTOCOL PORT" > ENDING="#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE" > > cd /tmp > test -f $FILE&& rm $FILE > $($WGET -q $URL -O $FILE) > > echo $BEGINNING> $BLACKLIST > echo "#Downloaded: " $DATE>> $BLACKLIST > $GREP "^#" $FILE>> $BLACKLIST > cat $FILE|$GREP -v ^#| $SORT -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n \ > |$AGGREGATE -t -q>> $BLACKLIST > echo $ENDING>> $BLACKLIST > ---------------------------------------------------------------------- > > Any feedback or comments are greatly appreciated. > > Sean------------------------------------------------------------------------------ 10 Tips for Better Server Consolidation Server virtualization is being driven by many needs. But none more important than the need to reduce IT complexity while improving strategic productivity. Learn More! http://www.accelacomm.com/jaw/sdnl/114/51507609/
> I got tired of people from other countries trying to make an anonymous > SIP call through my SIP box and other senseless attacks on Shorewall, > so I wrote a script that added entire countries to the blacklist.Thank you for sharing. :) *ticks ''done'' on this todo-list item* Mark ------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure
Am Thu, 15 Dec 2011 08:27:33 -0800 schrieb Sean Whitney: > I got tired of people from other countries trying to make an anonymous > SIP call through my SIP box and other senseless attacks on Shorewall, so > I wrote a script that added entire countries to the blacklist. I don''t > know anybody in these countries so I wasn''t worried about blocking > access to anything from my home. I can initiate connections out and > complete them, it just drops connections originating from these ranges. > The script condenses IP scopes to limit the blacklist somewhat. It''s > running very well right now on a box with 256M of memory. nice one, but have you read: http://www.countryipblocks.net/information/policies-affecting-access-and-use-of-the-website-and-database/ some statements from this site: * ... We also ask that you do not use automation, ... * Automated access is strictly forbidden - Thomas ------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure
Thanks, for pointing that out. Looks like this site has policies that are more automation friendly. http://www.ipdeny.com/ipblocks/ Sean On 12/16/2011 07:26 AM, Thomas Mueller wrote:> > > Am Thu, 15 Dec 2011 08:27:33 -0800 schrieb Sean Whitney: > > > I got tired of people from other countries trying to make an anonymous > > SIP call through my SIP box and other senseless attacks on Shorewall, so > > I wrote a script that added entire countries to the blacklist. I don''t > > know anybody in these countries so I wasn''t worried about blocking > > access to anything from my home. I can initiate connections out and > > complete them, it just drops connections originating from these ranges. > > The script condenses IP scopes to limit the blacklist somewhat. It''s > > running very well right now on a box with 256M of memory. > > > nice one, but have you read: > > http://www.countryipblocks.net/information/policies-affecting-access-and-use-of-the-website-and-database/ > > some statements from this site: > > * ... We also ask that you do not use automation, ... > * Automated access is strictly forbidden > > > > > - Thomas > > > > > ------------------------------------------------------------------------------ > Learn Windows Azure Live! Tuesday, Dec 13, 2011 > Microsoft is holding a special Learn Windows Azure training event for > developers. It will provide a great way to learn Windows Azure and what it > provides. You can attend the event by watching it streamed LIVE online. > Learn more at http://p.sf.net/sfu/ms-windowsazure > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- If all printers were determined not to print anything till they were sure it would offend nobody, there would be very little printed. - Benjamin Franklin ------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure