Blocking IP's

Cyrus Bharda

Blocking IP's

« on: June 03, 2003, 09:53:50 AM »

Howdy all,

Just wondering if it is possible to block ips listed in a txt file.

My reason for asking is this, sans and dshield release a text file with the top 10 IP blocks for attackers, I wish to drop all packets from these blocks for security reasons, but I have no idea if/how to block IP's let alone try and block IP blocks listed in a text file.

By the way this file can be downloaded by anyone here:

http://feeds.dshield.org/block.txt

It is updated daily, thanks.

Cyrus Bharda

Logged

Cyrus Bharda

Re: Blocking IP's

« Reply #1 on: June 03, 2003, 09:56:16 AM »

OOps, my mistake:

#
# DShield.org Recommended Block List
# (c) 2003 DShield.org
# use and unaltered distribution permitted.
# use on your own risk. No warranties implied.
# primary URL: http://feeds.dshield.org/block.txt
# PGP Sign.: http://feeds.dshield.org/block.txt.asc
#
# comments: info@dshield.org
# updated: Tue Jun 3 03:45:36 2003 UTC
#
# This list summarized the top 20 attacking class C (/24) subnets
# over the last three days. The number of 'attacks' indicates the
# number of targets reporting scans from this subnet.
#
# At the end of the list, a number of reserved/unassigned network
# ranges are listed.
#
# Columns (tab delimited):
#
# (1) start of netblock
# (2) end of netblock
# (3) subnet (/24 for class C)
# (4) number of targets scanned
# (5) name of Network
# (6) Country
# (7) contact email address
#
# If a range is assigned to multiple users, the first one is listed.
#
Start   End   Netblock   Attacks   Name   Country   email
195.110.210.0   195.110.210.255   24   66098   Computer Technik Bleier   AT   [no email]
218.70.148.0   218.70.148.255   24   65552   CHINANET-CQ   CN   liuqb@public.cta.cq.cn
210.118.156.0   210.118.156.255   24   64256   Korea Network Information Center   KR   hostmaster@nic.or.kr
220.45.41.0   220.45.41.255   24   64254   Japan nation-wide Network of BB Technologies Corp.   JP   admin@bbtec.net
218.14.151.0   218.14.151.255   24   64248   CHINANET Guangdong province network   CN   ipadm@gddc.com.cn
61.117.29.0   61.117.29.255   24   63996   Open Data Network   JP   hostmaster@nic.ad.jp
203.73.86.0   203.73.86.255   24   63958
147.134.120.0   147.134.120.255   24   63872   Creighton University (NET-JAYNET1)   US   lsheldon@CREIGHTON.EDU
155.135.17.0   155.135.17.255   24   63812   California State University (NET-CSUDH)   US   malam@RESEARCH.CSUDH.EDU
80.143.107.0   80.143.107.255   24   63653   Deutsche Telekom AG   DE   abuse@t-ipnet.de
218.8.129.0   218.8.129.255   24   63518
218.172.136.0   218.172.136.255   24   63511
212.125.70.0   212.125.70.255   24   61905
218.68.222.0   218.68.222.255   24   61100   CHINANET-TJ   CN   apnic@swd.online.tj.cn
64.42.18.0   64.42.18.255   24   60746   Advanced Telcom Group (NETBLK-ATGI-WEST-2)   US   abuse@atgi.net
195.149.5.0   195.149.5.255   24   57770   Fiamm UK Ltd   GB   [no email]
213.23.238.0   213.23.238.255   24   55335
81.98.111.0   81.98.111.255   24   55326
219.95.156.0   219.95.156.255   24   47069   Asia Pacific Network Information Center, Pty. Ltd.   AU   abuse@apnic.net
211.21.5.0   211.21.5.255   24   44435

Logged

Curly

Re: Blocking IP's

« Reply #2 on: June 04, 2003, 01:01:25 AM »

This is made for 5.1.2 , and uses a different layout of the file (just one ip-address per line) but should give you or someone else a start:

versions above 5.5 use iptables, so those commands could change. The filename is passed to the script as a parameter. This script blocks individual ip's , I'm not sure what the performance impact of a lot of extra rules would be. My machine can handle 400 blocked ip's with no problems.

=============begin file================
#!/bin/sh
for a in cat $1 ; do
echo -n "block ip "$a " "
#
# Check if block exists
#
exist=/sbin/ipchains -L input -n | grep $a | wc -l
if [ $exist -eq 0 ]
then
{
echo "block added"
/sbin/ipchains -I input -s $a -j DENY -l
}
else
{
echo "block already exists"
}
fi;
done
exit 0
=============end file================

Logged