[COFF] [TUHS] TUHS: Maintenance, Succession and Funding
Steffen Nurpmeso via COFF
coff at tuhs.org
Tue Apr 21 02:43:38 AEST 2026
[i went to coff@ as requested.]
Grant Taylor via TUHS wrote in
<2013c705-3885-4730-a01b-1f6dfbf70b0b at spamtrap.tnetconsulting.net>:
|On 4/18/26 10:20 AM, Kenneth Goodwin via TUHS wrote:
|> On your physical firewall, block the entire subnet range that
|> they were assigned by their ISP using a single access control list
|> statement with ip address and appropriate subnet mask. Drop all packets
|> from this range. Its been awhile, but I believe IANA maintains a
|> list of ip address ranges per internet client. Other organizations
|> might as well. It makes your site disappear from their view. They
|> may automatically stop connecting once enough failed attempts are
|> registered at their end.
|
|The last time I looked IANA maintained a list of which IP ranges were
|handed out to the Regional Internet Registries (RIRs). You'd need to go
|(multiple hops) deeper to find a viable subnet for the offending IP(s).
|
|I found that (access to) a (read-only) BGP (monitoring) feed can be very
|useful for this. The BGP feed will have down to the /24 for the network
|the offending IP is in. What's more is you can see what other prefixes
|the ASN is advertising and block them as well if you want to.
|
|> If you are using a server based firewall such as iptables or
|> a successor, do the above ACL there. Instead of one ACL per ip
|> address. It's one ACL per offender blocking everything.
...
Great ipset tip, from an iptables lover. (Successor, bah!)
But note i would be careful, the fossies.org software archive
(at times one of the most widely visited pages of the internet)
was not accessible from wide ranges of the internet last
year, and for quite some time, because Jens Schleusener, the
instance behind, actually seem to have fetched provider info,
and then blocked providers or at least larger ranges thereof.
(Some providers have hundreds of IP ranges, from little to big.)
(Not to mention that most attacks *i* see come via some clowd.)
What i (my TUHS clone still requires better firewall settings)
have found valuable is excluding crawlers without reverse DNS.
So i had written a script which can easily be adapted (especially
on Linux for which it is meant, with two caveats, first of all it
creates a database file
: ${DB:=/run/.fw-ss-http}
that is *not flocked*, and then the final action from within
awk(1) needs to be adapted. And note reverse DNS may hang!
What it does is that it checks any current connection
nips=$($SS -H -Q -t '( sport = :http or sport = :https )' |
and performs DNS reverse lookup (i have a local dnsmasq cache)
eval l=\$ipdns_$ipm ipdns_$ipm=y
if [ -n "$l" ]; then
[ -n "$DBG" ] && echo >&2 '.. DNS lookup cached: '$ip
continue
elif [ -n "$DBG" ]; then
echo >&2 'DNS PTR lookup: '$NSLOOKUP' '$ip
else
m=$($NSLOOKUP "$ip" 2>/dev/null)
fi
That results in a stream of "$?/$ip/$ipm" tuples, which is
consumed in a then protocol-independent
m=$MASK4
[ "${a}" != "${a%:*}" ] && m=$MASK6
an=$($IPCALC -n $a/$m)
if [ $? -ne 0 ]; then
echo >&2 'ipcalc failed for '$a/$m
continue
fi
furtherly analzyed as "listing: DNS failure" or "listing: multiple
IP/network" via
: ${MASK4:=24}
: ${MASK6:=64}
you know. The appropriates steps are then taken.
This is all shell
: ${AWK:=awk}
: ${IPCALC:=ipcalc}
: ${NSLOOKUP:=nslookup}
: ${SED:=sed}
: ${SS:=ss}
ep=$(date +%s)
and run from cron. I had at times more than hundred networks
blocked like that, but half a dozen is at practice minimum.
Maybe someone finds it useful. Doing this from scratch in some
real programming language is an option, though; especially with
non-blocking DNS lookups...
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
More information about the COFF
mailing list