В Пнд, 26/04/2010 в 16:09 +0200, Peter Zieseniss пишет: > Hello All, > > This is my first time posting; i am rather new to iptables, so please excuse the ignorance in my question. > > My personal CentOS-based webhost is under constant ssh attack from an interminable list of different IP addresses (just to give you an idea, my latsb data file grows by ~100MB every week!!). > i've noticed that they all seem to come from East-Asia (mainly China, Taiwan, Malaysia, Korea--both). > > i found this website which provides a list of IP addresses on a per-country basis: > http://ipinfodb.com/ip_country_block_iptables.php > > it seems quite reliable, but the list, for just the countries above, is about 3700 lines long.. > on the other hand, i found a list of just 40 lines for *all* of the APNIC countries (http://bgp.potaroo.net/ipv4-stats/allocated-apnic.html). > > i'd rather use a per-country list so as to not block non-offending countries like Japan and Australia. Indeed, my Mom, Dad, and i use this webhost for our small businesses, and although we've never had interlocutors from APNIC countries, i'd rather not block Australia outright, just in case someone has their webhost there and tries to send us email... > > My question, therefore, is this: > Is it wise to use a 4000-line long block-list for iptables? Or will doing so bring my server to a crawl (which it already is because of these darn brute-force ssh attacks) because for each TCP packet it has to spend 5 minutes going through the entire list? > Should i just forget about Australia and Japan, and block all APNIC countries with just a 40-line list instead? > > > Again, i apologize for the long, and probably lame question, but i would *greatly* appreciate any help you might provide.. Regarding big number of iptables rules, it is better to use ipset to this kind of rules because it uses hashing. And this is in case you really need such big number of rules. Regarding ssh and Brute-force attacks to other services, there is better way to avoid that wothout using huge number of rules. Personally I limit POP and IMAP to only allow 2 connections from particular IP. This is not good idea for SSH, because you should be able to have as many sessions open as you want. So I limit number of new SSH connection to 5 per minute. This way I can open 5 connection imediatelly and then 1/minute. This is acceptable to me, but not for brute-force. This is my rules: # Blocking Brute-force attacks on Cyrus POP and IMAP by limiting number of connections to 2 -p tcp --dport 110 -m state --state NEW -m connlimit --connlimit-above 2 -j DROP -p tcp --dport 143 -m state --state NEW -m connlimit --connlimit-above 2 -j DROP # Blocking Brute-force SSH attacks, limiting connection speed to 5 per minute -p tcp --dport 22 -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-name LIM_SSH --hashlimit-above 5/minute -j DROP Brute-forces try to open as many connection as they can, and when they get very slow because of those rules they give up. -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
