Can one construct an IPTables rule to block on NS records?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

This is the same origin that I reported on earlier.  Apparently asking
for an explanation of why they were probing our sites only encouraged
them to make additional attempts.

 sshd:
    Authentication Failures:
       unknown (ip-173-201-178-18.ip.secureserver.net): 2 Time(s)
       unknown (ip-97-74-196-33.ip.secureserver.net): 2 Time(s)
       unknown (ip-97-74-202-95.ip.secureserver.net): 2 Time(s)
       root (ip-173-201-252-24.ip.secureserver.net): 1 Time(s)
       root (ip-72-167-249-196.ip.secureserver.net): 1 Time(s)
       root (ip-72-167-251-87.ip.secureserver.net): 1 Time(s)
       root (ip-97-74-121-108.ip.secureserver.net): 1 Time(s)
       root (ip-97-74-193-219.ip.secureserver.net): 1 Time(s)
       root (ip-97-74-206-13.ip.secureserver.net): 1 Time(s)
       unknown (ip-173-201-252-24.ip.secureserver.net): 1 Time(s)
       unknown (ip-72-167-249-196.ip.secureserver.net): 1 Time(s)
       unknown (ip-72-167-251-87.ip.secureserver.net): 1 Time(s)
       unknown (ip-97-74-121-108.ip.secureserver.net): 1 Time(s)
       unknown (ip-97-74-193-219.ip.secureserver.net): 1 Time(s)
       unknown (ip-97-74-206-13.ip.secureserver.net): 1 Time(s)
    Invalid Users:
       Unknown Account: 12 Time(s)

So, is there any convenient way to construct an IPTables rule to block
all IPs associated with a given Domain Name server?


dig -x 173.201.178.18

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> -x 173.201.178.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1357
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;18.178.201.173.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
18.178.201.173.in-addr.arpa. 3600
IN	PTR	ip-173-201-178-18.ip.secureserver.net.

;; AUTHORITY SECTION:
201.173.in-addr.arpa.	66199	IN	NS	cns2.secureserver.net.
201.173.in-addr.arpa.	66199	IN	NS	cns1.secureserver.net.

;; ADDITIONAL SECTION:
cns2.secureserver.net.	172800	IN	A	216.69.185.100
cns2.secureserver.net.	172800	IN	AAAA	2607:f208:303::64
cns1.secureserver.net.	172800	IN	A	208.109.255.100
cns1.secureserver.net.	172800	IN	AAAA	2607:f208:207::64


Like say, cns{1,2}.secureserver.net.  Or an entire domain? Say
secureserver.net. ?


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux