[olug] Shell accounts? [OT?]
Kevin
sharpestmarble at gmail.com
Wed Sep 27 13:57:44 CDT 2017
You could also make the list shorter but much less readable and
maintainable by taking advantage of CIDR VLSM:
58.0.0.0/7
60.0.0.0/7
62.0.0.0/8
77.0.0.0/8
78.0.0.0/7
80.0.0.0/6
84.0.0.0/5
88.0.0.0/6
90.0.0.0/7
116.0.0.0/6
120.0.0.0/6
124.0.0.0/7
126.0.0.0/8
190.0.0.0/8
193.0.0.0/8
194.0.0.0/7
200.0.0.0/6
210.0.0.0/7
212.0.0.0/7
217.0.0.0/8
218.0.0.0/7
220.0.0.0/7
222.0.0.0/8
On Wed, Sep 27, 2017 at 11:26 AM, Lou Duchez <lou at paprikash.com> wrote:
> In case anyone's interested, I came across this list of international IP
> addresses some time ago; I can't confirm its accuracy or completeness, but
> thus far it hasn't caused me any problems (that I know of). In my
> firewalls I typically block all IPs in these ranges except for email and
> Web access; I spend so little time hiking through the Balkans, I feel
> pretty safe blocking all SSH connections from Sarajevo.
>
>
> N Filename iptables.rules
> N Russia .ru
> 89.0.0.0/8
>
> N RIPE.NET (Europe, the Middle East and parts of Central Asia)
> 62.0.0.0/8
> 77.0.0.0/8
> 78.0.0.0/8
> 79.0.0.0/8
> 80.0.0.0/8
> 81.0.0.0/8
> 82.0.0.0/8
> 83.0.0.0/8
> 84.0.0.0/8
> 85.0.0.0/8
> 86.0.0.0/8
> 87.0.0.0/8
> 88.0.0.0/8
> 89.0.0.0/8
> 90.0.0.0/8
> 91.0.0.0/8
> 193.0.0.0/8
> 194.0.0.0/8
> 195.0.0.0/8
> 212.0.0.0/8
> 213.0.0.0/8
> 217.0.0.0/8
>
> N APNIC (Asian Pacific Network Information Center)
> 58.0.0.0/8
> 59.0.0.0/8
> 60.0.0.0/8
> 61.0.0.0/8
> 202.0.0.0/8
> 203.0.0.0/8
> 210.0.0.0/8
> 211.0.0.0/8
> 218.0.0.0/8
> 219.0.0.0/8
> 220.0.0.0/8
> 221.0.0.0/8
> 222.0.0.0/8
> 116.0.0.0/8
> 117.0.0.0/8
> 118.0.0.0/8
> 119.0.0.0/8
> 120.0.0.0/8
> 121.0.0.0/8
> 122.0.0.0/8
> 123.0.0.0/8
> 124.0.0.0/8
> 125.0.0.0/8
> 126.0.0.0/8
>
> N End APNIC Addresses
>
> N LACNIC (Latin American and Caribbean Network Information Center)
> 189.0.0.0/8
> 190.0.0.0/8
> 200.0.0.0/8
> 201.0.0.0/8
> N End LACNIC
>
> N Add .EU here?
> N duesentrieb.kunst.uni-frankfurt.de
> 141.0.0.0/8
> N end .EU
>
> 88.0.0.0/8
> 85.0.0.0/8
>
>
>
> ipset to efficiently and easily whitelist / blacklist large sets of IP
>> addresses such as from an entire country.
>>
>>
>> On Tue, Sep 26, 2017 at 11:26 PM, aric at omahax.com <aric at omahax.com>
>> wrote:
>>
>> Thanks, that is a cool feature of iptables that I didn't know about. When
>>> I first read the port knocking suggestion on this thread I thought about
>>> the Dr. Strangelove doomsday machine. You could trigger events from a
>>> port
>>> knock. ....and then this Rick and Morty scene
>>> https://youtu.be/a69kN7gyE70
>>> There several ways to block SSH attempts. I use pfSense to forward a non
>>> standard port, ban the IP after 5 failed attempts and ban IPs that port
>>> scan. The iptables way you suggested looks to be the simplest.
>>> ------ Original message------From: Christopher CashellDate: Tue, Sep 26,
>>> 2017 10:53 PMTo: Omaha Linux User Group;Cc: Subject:Re: [olug] Shell
>>> accounts? [OT?]
>>> On Thu, Sep 14, 2017 at 9:40 AM, Ben Hollingsworth wrote:
>>>
>>> The biggest bummer, nostalgia aside, is SSH access. In order to keep the
>>>> log file noise to a minimum, my home firewall restricts which IP blocks
>>>>
>>> are
>>>
>>>> allowed to SSH into my home computer. On the rare occasion when I need
>>>>
>>> to
>>>
>>>> SSH in from an unapproved network, I was always able to SSH into falcon
>>>> first, then jump from there to my home machine. That route is no longer
>>>>
>>> an
>>>
>>>> option, so I'll probably have to open up the firewall again. Or maybe I
>>>> can just paint with a bigger brush & block foreign IP's using that list
>>>> that somebody posted recently.
>>>>
>>>> Someone mentioned port-knocking, which can be a handy solution for this.
>>> Another option that can significantly reduce the log noise is to use
>>> iptables to minimize or prevent brute-force SSH attacks.
>>>
>>> Replace the iptables rule on your box that is allowing TCP port 22 with
>>> the
>>> following:
>>>
>>> iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m
>>> hashlimit --hashlimit-mode srcip --hashlimit-upto 1/min
>>> --hashlimit-burst 4
>>> --hashlimit-name ssh -j ACCEPT
>>>
>>> That will limit new TCP connection attempts to a rate of 1 per minute,
>>> with
>>> a burst of 4 allowed per source IP. Basically, anyone who makes repeated
>>> ssh attempts to quickly will automatically have their connection attempts
>>> dropped. The most attempts they make, the longer they get blocked. The
>>> best thing about it is that it requires no maintenance or external
>>> applications (like fail2ban), and is very "fire and forget" for low
>>> connection rate protocols like SSH.
>>>
>>> One other handy option, you can keep SSH blocked from the outside, and
>>> use
>>> something like OpenVPN to connect remotely. Then, after establishing a
>>> VPN
>>> session to your computer externally, you can SSH across the VPN to not
>>> expose SSH publicly. This can also give you some additional access
>>> benefits to your system.
>>>
>>> For the ultimate in remote shell flexibility, I'll echo another
>>> suggestion
>>> that was thrown out, too: Linode. I've been using Linode.com for 10
>>> years
>>> now, and I can't recommend them enough. They're Virtual Private Server
>>> (VPS) hosting by geeks/engineers for geeks/engineers.
>>>
>>> --
>>>
>>>> *Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com
>>>> www.Jedi.com
>>>>
>>>
>>>
>>> --
>>> Christopher
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://www.olug.org/mailman/listinfo/olug
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://www.olug.org/mailman/listinfo/olug
>>>
>>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://www.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://www.olug.org/mailman/listinfo/olug
>
More information about the OLUG
mailing list