Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Cyrus Bharda on June 03, 2003, 09:53:50 AM
-
Howdy all,
Just wondering if it is possible to block ips listed in a txt file.
My reason for asking is this, sans and dshield release a text file with the top 10 IP blocks for attackers, I wish to drop all packets from these blocks for security reasons, but I have no idea if/how to block IP's let alone try and block IP blocks listed in a text file.
By the way this file can be downloaded by anyone here:
http://feeds.dshield.org/block.txt
It is updated daily, thanks.
Cyrus Bharda
-
OOps, my mistake:
#
# DShield.org Recommended Block List
# (c) 2003 DShield.org
# use and unaltered distribution permitted.
# use on your own risk. No warranties implied.
# primary URL: http://feeds.dshield.org/block.txt
# PGP Sign.: http://feeds.dshield.org/block.txt.asc
#
# comments: info@dshield.org
# updated: Tue Jun 3 03:45:36 2003 UTC
#
# This list summarized the top 20 attacking class C (/24) subnets
# over the last three days. The number of 'attacks' indicates the
# number of targets reporting scans from this subnet.
#
# At the end of the list, a number of reserved/unassigned network
# ranges are listed.
#
# Columns (tab delimited):
#
# (1) start of netblock
# (2) end of netblock
# (3) subnet (/24 for class C)
# (4) number of targets scanned
# (5) name of Network
# (6) Country
# (7) contact email address
#
# If a range is assigned to multiple users, the first one is listed.
#
Start End Netblock Attacks Name Country email
195.110.210.0 195.110.210.255 24 66098 Computer Technik Bleier AT [no email]
218.70.148.0 218.70.148.255 24 65552 CHINANET-CQ CN liuqb@public.cta.cq.cn
210.118.156.0 210.118.156.255 24 64256 Korea Network Information Center KR hostmaster@nic.or.kr
220.45.41.0 220.45.41.255 24 64254 Japan nation-wide Network of BB Technologies Corp. JP admin@bbtec.net
218.14.151.0 218.14.151.255 24 64248 CHINANET Guangdong province network CN ipadm@gddc.com.cn
61.117.29.0 61.117.29.255 24 63996 Open Data Network JP hostmaster@nic.ad.jp
203.73.86.0 203.73.86.255 24 63958
147.134.120.0 147.134.120.255 24 63872 Creighton University (NET-JAYNET1) US lsheldon@CREIGHTON.EDU
155.135.17.0 155.135.17.255 24 63812 California State University (NET-CSUDH) US malam@RESEARCH.CSUDH.EDU
80.143.107.0 80.143.107.255 24 63653 Deutsche Telekom AG DE abuse@t-ipnet.de
218.8.129.0 218.8.129.255 24 63518
218.172.136.0 218.172.136.255 24 63511
212.125.70.0 212.125.70.255 24 61905
218.68.222.0 218.68.222.255 24 61100 CHINANET-TJ CN apnic@swd.online.tj.cn
64.42.18.0 64.42.18.255 24 60746 Advanced Telcom Group (NETBLK-ATGI-WEST-2) US abuse@atgi.net
195.149.5.0 195.149.5.255 24 57770 Fiamm UK Ltd GB [no email]
213.23.238.0 213.23.238.255 24 55335
81.98.111.0 81.98.111.255 24 55326
219.95.156.0 219.95.156.255 24 47069 Asia Pacific Network Information Center, Pty. Ltd. AU abuse@apnic.net
211.21.5.0 211.21.5.255 24 44435
-
This is made for 5.1.2 , and uses a different layout of the file (just one ip-address per line) but should give you or someone else a start:
versions above 5.5 use iptables, so those commands could change. The filename is passed to the script as a parameter. This script blocks individual ip's , I'm not sure what the performance impact of a lot of extra rules would be. My machine can handle 400 blocked ip's with no problems.
=============begin file================
#!/bin/sh
for a in cat $1 ; do
echo -n "block ip "$a " "
#
# Check if block exists
#
exist=/sbin/ipchains -L input -n | grep $a | wc -l
if [ $exist -eq 0 ]
then
{
echo "block added"
/sbin/ipchains -I input -s $a -j DENY -l
}
else
{
echo "block already exists"
}
fi;
done
exit 0
=============end file================