Jump to content
Brian Enos's Forums... Maku mozo!

IP Banning on Server ... Formatting Question

benos
 Share

Recommended Posts

benos Back From the Dead

benos

Posted
Posted

My online store is getting hammered with fraud attempts. I can ban the IP in root on the server. So here's the NetRange: 196.0.0.0 - 196.255.255.255

... the orders are coming from. Is there any way easily ban that whole range with "apf -d" ?

be

Link to comment
Share on other sites
Mapzter Looks for Range

Mapzter

Posted
Posted
I believe you can use 196.0.0.0/8 with apf to cover the whole range. This takes advantage of "IP bit masking" to express the entire range.

If apf -d won't accept it (it seems to expect single addresses only), you should be able to add 196.0.0.0/8 to /etc/apf/deny_hosts.rules and use apf -r to reload the rules.

196.0.0.0/8 is an awfully big block of the net, though. It's 1/256 of the entire address space :unsure:

Link to comment
Share on other sites
JThompson Calls Shots

JThompson

Posted
Posted
I believe you can use 196.0.0.0/8 with apf to cover the whole range. This takes advantage of "IP bit masking" to express the entire range.

If apf -d won't accept it (it seems to expect single addresses only), you should be able to add 196.0.0.0/8 to /etc/apf/deny_hosts.rules and use apf -r to reload the rules.

196.0.0.0/8 is an awfully big block of the net, though. It's 1/256 of the entire address space :unsure:

Yes huge...

Link to comment
Share on other sites
Rob Boudrie Looks for Target

Rob Boudrie

Posted
Posted

Interestingly enough, there is a single owner for that Class A block. You have to be careful about blocking it though, since the barristers could have difficulty reaching you if some Nigerian general requires your assistance in moving some money out of the country.

------------------------------------------------------------------

OrgName: African Network Information Center

OrgID: AFRINIC

Address: 03B3 - 3rd Floor - Ebene Cyber Tower

Address: Cyber City

Address: Ebene

Address: Mauritius

City: Ebene

StateProv:

PostalCode: 0001

Country: MU

ReferralServer: whois://whois.afrinic.net

NetRange: 196.0.0.0 - 196.255.255.255

CIDR: 196.0.0.0/8

NetName: NET196

NetHandle: NET-196-0-0-0-0

Parent:

NetType: Allocated to AfriNIC

NameServer: NS1.AFRINIC.NET

NameServer: NS-SEC.RIPE.NET

NameServer: NS.LACNIC.NET

NameServer: TINNIE.ARIN.NET

NameServer: SEC1.APNIC.NET

NameServer: SEC3.APNIC.NET

Comment:

RegDate: 1993-05-01

Updated: 2006-04-27

OrgAbuseHandle: GENER11-ARIN

OrgAbuseName: Generic POC

OrgAbusePhone: +230 4666616

OrgAbuseEmail: abusepoc@afrinic.net

OrgTechHandle: GENER11-ARIN

OrgTechName: Generic POC

OrgTechPhone: +230 4666616

OrgTechEmail: abusepoc@afrinic.net

# ARIN WHOIS database, last updated 2008-11-05 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

Link to comment
Share on other sites
benos Back From the Dead

benos

Posted
  • Author
Posted
I believe you can use 196.0.0.0/8 with apf to cover the whole range. This takes advantage of "IP bit masking" to express the entire range.

Thanks! That did the trick.

be

You have to be careful about blocking it though, since the barristers could have difficulty reaching you if some Nigerian general requires your assistance in moving some money out of the country.

:D

Link to comment
Share on other sites
Cactustactical Finally read the FAQs

Cactustactical

Posted
Posted
I believe you can use 196.0.0.0/8 with apf to cover the whole range. This takes advantage of "IP bit masking" to express the entire range.

Thanks! That did the trick.

be

You have to be careful about blocking it though, since the barristers could have difficulty reaching you if some Nigerian general requires your assistance in moving some money out of the country.

:D

brian, are you doing it through .htaccess or do you have a php script to do it?

Link to comment
Share on other sites
PCFlorida Looks for Range

PCFlorida

Posted
Posted
Interestingly enough, there is a single owner for that Class A block. You have to be careful about blocking it though, since the barristers could have difficulty reaching you if some Nigerian general requires your assistance in moving some money out of the country.

I thought that was a deal they had made only with me :)

Link to comment
Share on other sites
  • 2 weeks later...
benos Back From the Dead

benos

Posted
  • Author
Posted
I believe you can use 196.0.0.0/8 with apf to cover the whole range. This takes advantage of "IP bit masking" to express the entire range.

Thanks! That did the trick.

be

You have to be careful about blocking it though, since the barristers could have difficulty reaching you if some Nigerian general requires your assistance in moving some money out of the country.

:D

brian, are you doing it through .htaccess or do you have a php script to do it?

Bob,

No to both. I just typed the Linux command while logged in to the server as root.

If you don't have root access, have a someone who does type:

apf -d 196.0.0.0/8

... Which will ban this entire IP range: 196.0.0.0 - 196.255.255.255 - from any sort of access to any site that's on the server.

But if your site is on a shared server, I'm sure that won't be allowed.

There probably is a way to block a range of IP's from just your domain, whoever hosts your site should be able to do that for you or tell you how to do it.

If Rob Boudrie sees this thread, he will know. He knows everything.

;)

Link to comment
Share on other sites
Cactustactical Finally read the FAQs

Cactustactical

Posted
Posted

We currently block IP ranges through the .htacess file and it is getting pretty darn unwieldy. I have also been playing around with a script that reads a sql table to determine IP address and diverts to a 'go away, you aren't wanted' type of page if the address is on the page.

We own our own server and had not heard of the comand that you used. I will have to take a look into that.

Link to comment
Share on other sites
Rob Boudrie Looks for Target

Rob Boudrie

Posted
Posted

The program Brian is using is "apf", "Advanced Policy Firewall" - Loads of information on this Linux package may be found via google.

Blocking via .htaccess works within the Apache web server; APF catches the traffic before it gets to the web server and places less of a load on your system. APF can also be configrued to automagically get data from blacklisting services, so that the biggest offenders often get added to your block list automatically.

As Brian mentioned, APF is at the server, not the hosted website, level - so it is not an easy on a shared system you do not administer.

Link to comment
Share on other sites
  • 1 month later...
atlscrog Looks for Match

atlscrog

Posted
Posted
My online store is getting hammered with fraud attempts. I can ban the IP in root on the server. So here's the NetRange: 196.0.0.0 - 196.255.255.255

... the orders are coming from. Is there any way easily ban that whole range with "apf -d" ?

be

I use an OpenBSD based firewall. OpenBSD comes with PF (Packet Filter) and with it you can do some pretty interesting things. For example, I have a rule that detects brute-force attempts to login via SSH. It has a threshold and too many failed attempts too close together results in that IP being blocked.

The pertinent lines from my pf.conf file are below:

===

# tables

table <bruteforce> persist

# Block bruteforce attempts

block log quick from <bruteforce>

pass quick proto tcp from any to any port ssh flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

===

Below is a readout of the IP's that have been blocked so far:

sybill:/home/scottr/sysadmin $ sudo pfctl -t bruteforce -T show

58.30.19.23

59.41.39.101

59.63.25.158

61.92.29.236

61.128.234.216

64.20.61.114

83.240.39.137

94.136.34.213

132.216.35.26

200.74.160.178

200.111.64.171

201.47.187.138

202.8.157.123

202.117.56.29

202.124.181.41

219.76.75.6

219.155.46.233

sybill:/home/scottr/sysadmin $

Link to comment
Share on other sites
benos Back From the Dead

benos

Posted
  • Author
Posted
My online store is getting hammered with fraud attempts. I can ban the IP in root on the server. So here's the NetRange: 196.0.0.0 - 196.255.255.255

... the orders are coming from. Is there any way easily ban that whole range with "apf -d" ?

be

I use an OpenBSD based firewall. OpenBSD comes with PF (Packet Filter) and with it you can do some pretty interesting things. For example, I have a rule that detects brute-force attempts to login via SSH. It has a threshold and too many failed attempts too close together results in that IP being blocked.

The pertinent lines from my pf.conf file are below:

===

# tables

table <bruteforce> persist

# Block bruteforce attempts

block log quick from <bruteforce>

pass quick proto tcp from any to any port ssh flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

===

Below is a readout of the IP's that have been blocked so far:

sybill:/home/scottr/sysadmin $ sudo pfctl -t bruteforce -T show

58.30.19.23

59.41.39.101

59.63.25.158

61.92.29.236

61.128.234.216

64.20.61.114

83.240.39.137

94.136.34.213

132.216.35.26

200.74.160.178

200.111.64.171

201.47.187.138

202.8.157.123

202.117.56.29

202.124.181.41

219.76.75.6

219.155.46.233

sybill:/home/scottr/sysadmin $

Thanks. That looks pretty cool.

Rob?

be

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...