benos Posted November 6, 2008 Share Posted November 6, 2008 My online store is getting hammered with fraud attempts. I can ban the IP in root on the server. So here's the NetRange: 196.0.0.0 - 196.255.255.255 ... the orders are coming from. Is there any way easily ban that whole range with "apf -d" ? be Link to comment Share on other sites More sharing options...
EatMeerkats Posted November 6, 2008 Share Posted November 6, 2008 I believe you can use 196.0.0.0/8 with apf to cover the whole range. This takes advantage of "IP bit masking" to express the entire range. Link to comment Share on other sites More sharing options...
JThompson Posted November 6, 2008 Share Posted November 6, 2008 I run a different one and we use wildcards to cover octets. Dunno about yours... Link to comment Share on other sites More sharing options...
Mapzter Posted November 6, 2008 Share Posted November 6, 2008 I believe you can use 196.0.0.0/8 with apf to cover the whole range. This takes advantage of "IP bit masking" to express the entire range. If apf -d won't accept it (it seems to expect single addresses only), you should be able to add 196.0.0.0/8 to /etc/apf/deny_hosts.rules and use apf -r to reload the rules. 196.0.0.0/8 is an awfully big block of the net, though. It's 1/256 of the entire address space Link to comment Share on other sites More sharing options...
JThompson Posted November 6, 2008 Share Posted November 6, 2008 I believe you can use 196.0.0.0/8 with apf to cover the whole range. This takes advantage of "IP bit masking" to express the entire range. If apf -d won't accept it (it seems to expect single addresses only), you should be able to add 196.0.0.0/8 to /etc/apf/deny_hosts.rules and use apf -r to reload the rules. 196.0.0.0/8 is an awfully big block of the net, though. It's 1/256 of the entire address space Yes huge... Link to comment Share on other sites More sharing options...
Rob Boudrie Posted November 6, 2008 Share Posted November 6, 2008 Interestingly enough, there is a single owner for that Class A block. You have to be careful about blocking it though, since the barristers could have difficulty reaching you if some Nigerian general requires your assistance in moving some money out of the country. ------------------------------------------------------------------ OrgName: African Network Information Center OrgID: AFRINIC Address: 03B3 - 3rd Floor - Ebene Cyber Tower Address: Cyber City Address: Ebene Address: Mauritius City: Ebene StateProv: PostalCode: 0001 Country: MU ReferralServer: whois://whois.afrinic.net NetRange: 196.0.0.0 - 196.255.255.255 CIDR: 196.0.0.0/8 NetName: NET196 NetHandle: NET-196-0-0-0-0 Parent: NetType: Allocated to AfriNIC NameServer: NS1.AFRINIC.NET NameServer: NS-SEC.RIPE.NET NameServer: NS.LACNIC.NET NameServer: TINNIE.ARIN.NET NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET Comment: RegDate: 1993-05-01 Updated: 2006-04-27 OrgAbuseHandle: GENER11-ARIN OrgAbuseName: Generic POC OrgAbusePhone: +230 4666616 OrgAbuseEmail: abusepoc@afrinic.net OrgTechHandle: GENER11-ARIN OrgTechName: Generic POC OrgTechPhone: +230 4666616 OrgTechEmail: abusepoc@afrinic.net # ARIN WHOIS database, last updated 2008-11-05 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Link to comment Share on other sites More sharing options...
benos Posted November 6, 2008 Author Share Posted November 6, 2008 I believe you can use 196.0.0.0/8 with apf to cover the whole range. This takes advantage of "IP bit masking" to express the entire range. Thanks! That did the trick. be You have to be careful about blocking it though, since the barristers could have difficulty reaching you if some Nigerian general requires your assistance in moving some money out of the country. Link to comment Share on other sites More sharing options...
Cactustactical Posted November 6, 2008 Share Posted November 6, 2008 I believe you can use 196.0.0.0/8 with apf to cover the whole range. This takes advantage of "IP bit masking" to express the entire range. Thanks! That did the trick. be You have to be careful about blocking it though, since the barristers could have difficulty reaching you if some Nigerian general requires your assistance in moving some money out of the country. brian, are you doing it through .htaccess or do you have a php script to do it? Link to comment Share on other sites More sharing options...
PCFlorida Posted November 8, 2008 Share Posted November 8, 2008 Interestingly enough, there is a single owner for that Class A block. You have to be careful about blocking it though, since the barristers could have difficulty reaching you if some Nigerian general requires your assistance in moving some money out of the country. I thought that was a deal they had made only with me Link to comment Share on other sites More sharing options...
benos Posted November 19, 2008 Author Share Posted November 19, 2008 I believe you can use 196.0.0.0/8 with apf to cover the whole range. This takes advantage of "IP bit masking" to express the entire range. Thanks! That did the trick. be You have to be careful about blocking it though, since the barristers could have difficulty reaching you if some Nigerian general requires your assistance in moving some money out of the country. brian, are you doing it through .htaccess or do you have a php script to do it? Bob, No to both. I just typed the Linux command while logged in to the server as root. If you don't have root access, have a someone who does type: apf -d 196.0.0.0/8 ... Which will ban this entire IP range: 196.0.0.0 - 196.255.255.255 - from any sort of access to any site that's on the server. But if your site is on a shared server, I'm sure that won't be allowed. There probably is a way to block a range of IP's from just your domain, whoever hosts your site should be able to do that for you or tell you how to do it. If Rob Boudrie sees this thread, he will know. He knows everything. Link to comment Share on other sites More sharing options...
AZ38super Posted November 19, 2008 Share Posted November 19, 2008 I have not had to do a wide block like that yet on the servers I maintain but I have done a bunch of individual ones. But these are windows servers and not Linux. Glad you were able to stop it. Link to comment Share on other sites More sharing options...
Cactustactical Posted November 19, 2008 Share Posted November 19, 2008 We currently block IP ranges through the .htacess file and it is getting pretty darn unwieldy. I have also been playing around with a script that reads a sql table to determine IP address and diverts to a 'go away, you aren't wanted' type of page if the address is on the page. We own our own server and had not heard of the comand that you used. I will have to take a look into that. Link to comment Share on other sites More sharing options...
Rob Boudrie Posted November 19, 2008 Share Posted November 19, 2008 The program Brian is using is "apf", "Advanced Policy Firewall" - Loads of information on this Linux package may be found via google. Blocking via .htaccess works within the Apache web server; APF catches the traffic before it gets to the web server and places less of a load on your system. APF can also be configrued to automagically get data from blacklisting services, so that the biggest offenders often get added to your block list automatically. As Brian mentioned, APF is at the server, not the hosted website, level - so it is not an easy on a shared system you do not administer. Link to comment Share on other sites More sharing options...
atlscrog Posted December 20, 2008 Share Posted December 20, 2008 My online store is getting hammered with fraud attempts. I can ban the IP in root on the server. So here's the NetRange: 196.0.0.0 - 196.255.255.255... the orders are coming from. Is there any way easily ban that whole range with "apf -d" ? be I use an OpenBSD based firewall. OpenBSD comes with PF (Packet Filter) and with it you can do some pretty interesting things. For example, I have a rule that detects brute-force attempts to login via SSH. It has a threshold and too many failed attempts too close together results in that IP being blocked. The pertinent lines from my pf.conf file are below: === # tables table <bruteforce> persist # Block bruteforce attempts block log quick from <bruteforce> pass quick proto tcp from any to any port ssh flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global) === Below is a readout of the IP's that have been blocked so far: sybill:/home/scottr/sysadmin $ sudo pfctl -t bruteforce -T show 58.30.19.23 59.41.39.101 59.63.25.158 61.92.29.236 61.128.234.216 64.20.61.114 83.240.39.137 94.136.34.213 132.216.35.26 200.74.160.178 200.111.64.171 201.47.187.138 202.8.157.123 202.117.56.29 202.124.181.41 219.76.75.6 219.155.46.233 sybill:/home/scottr/sysadmin $ Link to comment Share on other sites More sharing options...
benos Posted December 24, 2008 Author Share Posted December 24, 2008 My online store is getting hammered with fraud attempts. I can ban the IP in root on the server. So here's the NetRange: 196.0.0.0 - 196.255.255.255... the orders are coming from. Is there any way easily ban that whole range with "apf -d" ? be I use an OpenBSD based firewall. OpenBSD comes with PF (Packet Filter) and with it you can do some pretty interesting things. For example, I have a rule that detects brute-force attempts to login via SSH. It has a threshold and too many failed attempts too close together results in that IP being blocked. The pertinent lines from my pf.conf file are below: === # tables table <bruteforce> persist # Block bruteforce attempts block log quick from <bruteforce> pass quick proto tcp from any to any port ssh flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global) === Below is a readout of the IP's that have been blocked so far: sybill:/home/scottr/sysadmin $ sudo pfctl -t bruteforce -T show 58.30.19.23 59.41.39.101 59.63.25.158 61.92.29.236 61.128.234.216 64.20.61.114 83.240.39.137 94.136.34.213 132.216.35.26 200.74.160.178 200.111.64.171 201.47.187.138 202.8.157.123 202.117.56.29 202.124.181.41 219.76.75.6 219.155.46.233 sybill:/home/scottr/sysadmin $ Thanks. That looks pretty cool. Rob? be Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now