[olug] Shell accounts? [OT?]
Lou Duchez
lou at paprikash.com
Wed Sep 27 11:26:55 CDT 2017
In case anyone's interested, I came across this list of international IP
addresses some time ago; I can't confirm its accuracy or completeness,
but thus far it hasn't caused me any problems (that I know of). In my
firewalls I typically block all IPs in these ranges except for email and
Web access; I spend so little time hiking through the Balkans, I feel
pretty safe blocking all SSH connections from Sarajevo.
N Filename iptables.rules
N Russia .ru
89.0.0.0/8
N RIPE.NET (Europe, the Middle East and parts of Central Asia)
62.0.0.0/8
77.0.0.0/8
78.0.0.0/8
79.0.0.0/8
80.0.0.0/8
81.0.0.0/8
82.0.0.0/8
83.0.0.0/8
84.0.0.0/8
85.0.0.0/8
86.0.0.0/8
87.0.0.0/8
88.0.0.0/8
89.0.0.0/8
90.0.0.0/8
91.0.0.0/8
193.0.0.0/8
194.0.0.0/8
195.0.0.0/8
212.0.0.0/8
213.0.0.0/8
217.0.0.0/8
N APNIC (Asian Pacific Network Information Center)
58.0.0.0/8
59.0.0.0/8
60.0.0.0/8
61.0.0.0/8
202.0.0.0/8
203.0.0.0/8
210.0.0.0/8
211.0.0.0/8
218.0.0.0/8
219.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8
116.0.0.0/8
117.0.0.0/8
118.0.0.0/8
119.0.0.0/8
120.0.0.0/8
121.0.0.0/8
122.0.0.0/8
123.0.0.0/8
124.0.0.0/8
125.0.0.0/8
126.0.0.0/8
N End APNIC Addresses
N LACNIC (Latin American and Caribbean Network Information Center)
189.0.0.0/8
190.0.0.0/8
200.0.0.0/8
201.0.0.0/8
N End LACNIC
N Add .EU here?
N duesentrieb.kunst.uni-frankfurt.de
141.0.0.0/8
N end .EU
88.0.0.0/8
85.0.0.0/8
> ipset to efficiently and easily whitelist / blacklist large sets of IP
> addresses such as from an entire country.
>
>
> On Tue, Sep 26, 2017 at 11:26 PM, aric at omahax.com <aric at omahax.com> wrote:
>
>> Thanks, that is a cool feature of iptables that I didn't know about. When
>> I first read the port knocking suggestion on this thread I thought about
>> the Dr. Strangelove doomsday machine. You could trigger events from a port
>> knock. ....and then this Rick and Morty scene
>> https://youtu.be/a69kN7gyE70
>> There several ways to block SSH attempts. I use pfSense to forward a non
>> standard port, ban the IP after 5 failed attempts and ban IPs that port
>> scan. The iptables way you suggested looks to be the simplest.
>> ------ Original message------From: Christopher CashellDate: Tue, Sep 26,
>> 2017 10:53 PMTo: Omaha Linux User Group;Cc: Subject:Re: [olug] Shell
>> accounts? [OT?]
>> On Thu, Sep 14, 2017 at 9:40 AM, Ben Hollingsworth wrote:
>>
>>> The biggest bummer, nostalgia aside, is SSH access. In order to keep the
>>> log file noise to a minimum, my home firewall restricts which IP blocks
>> are
>>> allowed to SSH into my home computer. On the rare occasion when I need
>> to
>>> SSH in from an unapproved network, I was always able to SSH into falcon
>>> first, then jump from there to my home machine. That route is no longer
>> an
>>> option, so I'll probably have to open up the firewall again. Or maybe I
>>> can just paint with a bigger brush & block foreign IP's using that list
>>> that somebody posted recently.
>>>
>> Someone mentioned port-knocking, which can be a handy solution for this.
>> Another option that can significantly reduce the log noise is to use
>> iptables to minimize or prevent brute-force SSH attacks.
>>
>> Replace the iptables rule on your box that is allowing TCP port 22 with the
>> following:
>>
>> iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m
>> hashlimit --hashlimit-mode srcip --hashlimit-upto 1/min --hashlimit-burst 4
>> --hashlimit-name ssh -j ACCEPT
>>
>> That will limit new TCP connection attempts to a rate of 1 per minute, with
>> a burst of 4 allowed per source IP. Basically, anyone who makes repeated
>> ssh attempts to quickly will automatically have their connection attempts
>> dropped. The most attempts they make, the longer they get blocked. The
>> best thing about it is that it requires no maintenance or external
>> applications (like fail2ban), and is very "fire and forget" for low
>> connection rate protocols like SSH.
>>
>> One other handy option, you can keep SSH blocked from the outside, and use
>> something like OpenVPN to connect remotely. Then, after establishing a VPN
>> session to your computer externally, you can SSH across the VPN to not
>> expose SSH publicly. This can also give you some additional access
>> benefits to your system.
>>
>> For the ultimate in remote shell flexibility, I'll echo another suggestion
>> that was thrown out, too: Linode. I've been using Linode.com for 10 years
>> now, and I can't recommend them enough. They're Virtual Private Server
>> (VPS) hosting by geeks/engineers for geeks/engineers.
>>
>> --
>>> *Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com
>>> www.Jedi.com
>>
>>
>> --
>> Christopher
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://www.olug.org/mailman/listinfo/olug
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://www.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://www.olug.org/mailman/listinfo/olug
More information about the OLUG
mailing list