| Author |
Message |
crazyfruitbat
Joined: 12 Feb 2011
Posts: 55
|
| Posted: Sat Nov 05, 2011 9:20 pm Post subject: Blocking an ip address range |
|
|
Hey guys, I'm using webmin to control my firewall and I want to ban baidu - they are constantly hitting my forum and ignoring robots.txt
I started banning the odd ip address in webmin, now I'm getting hundreds of all the baidu crawlers - probably a good 60-70 at any given time in the day and making a massive log file on the server.
So I want to ban by the entire range on webmin but I can't figure out of to do it. One address of Baidu is 180.76.5.24 so I'm guessing 180.76.5.0/24 is the block for the whole range?
I have put 180.76.5.0/24 into webmin so block but it's not having any effect.Have I missed something from here?
Cheers
Chris |
|
| Back to top |
|
vonskippy
Joined: 27 Dec 2009
Posts: 469
Location: Colorado, USA
|
| Posted: Sat Nov 05, 2011 9:26 pm Post subject: |
|
|
Think bigger, much BIGGER
#whois 180.76.5.24
Code: 180.76.5.24
inetnum: 180.76.0.0 - 180.76.255.255
netname: Baidu
descr: Beijing Baidu Netcom Science and Technology Co., Ltd.
descr: Baidu Plaza, No.10, Shangdi 10th street,Haidian District Beijing,100080
country: CN
admin-c: WN141-AP
tech-c: JC2179-AP
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20090715 |
|
| Back to top |
|
Obsidian
Joined: 20 Apr 2011
Posts: 39
|
| Posted: Sat Nov 05, 2011 9:31 pm Post subject: |
|
|
| What's with the drop-down by the source IP? Does that contain anything useful, like a "within" setting perhaps? |
|
| Back to top |
|
crazyfruitbat
Joined: 12 Feb 2011
Posts: 55
|
| Posted: Sat Nov 05, 2011 9:41 pm Post subject: |
|
|
Haha thanks guys - cheers for the additional range, where did you find that amount of detail from?
As for the drop down - I have:
<ignored>
Equals
Does not equal |
|
| Back to top |
|
crazyfruitbat
Joined: 12 Feb 2011
Posts: 55
|
| Posted: Sat Nov 05, 2011 9:57 pm Post subject: |
|
|
| Vonskippy, if the address range is 180.76.0.0 - 180.76.255.255 how can I ban the entire range? I read somewhere that the /24 does that but it may be wrong... |
|
| Back to top |
|
vonskippy
Joined: 27 Dec 2009
Posts: 469
Location: Colorado, USA
|
| Posted: Sat Nov 05, 2011 10:08 pm Post subject: |
|
|
180.76.0.0/16 = 180.76.0.1-180.76.255.254
/24 is just a Class C network range
http://en.wikipedia.org/wiki/Subnetwork
Scroll down to the CIDR part for a good overview how the /24 (and others) subnetting works.
Pretty much any WHOIS utility will tell you the IP Range for any given IP. |
|
| Back to top |
|
crazyfruitbat
Joined: 12 Feb 2011
Posts: 55
|
| Posted: Sat Nov 05, 2011 10:19 pm Post subject: |
|
|
Ok thanks mate - I have added it to the firewall rules using webmin and double checked it on ssh
Code: DROP all -- 180.76.0.0/16 anywhere
Let's see how it goes! |
|
| Back to top |
|
crazyfruitbat
Joined: 12 Feb 2011
Posts: 55
|
| Posted: Sun Nov 06, 2011 6:56 am Post subject: |
|
|
Ok, as I thought it's not working - I just caught a load on my website now
180.76.5.52 is just one I picked out. Seems like the firewall is just not working ;( |
|
| Back to top |
|
jebblue
Joined: 23 May 2010
Posts: 112
|
| Posted: Sun Nov 06, 2011 11:42 am Post subject: |
|
|
Do this and report the results:
sudo iptables -L -n|grep "180.76.0.0/16" |
|
| Back to top |
|
crazyfruitbat
Joined: 12 Feb 2011
Posts: 55
|
| Posted: Sun Nov 06, 2011 6:00 pm Post subject: |
|
|
Cheer jebblue, here is the result:
Code: DROP all -- 180.76.0.0/16 0.0.0.0/0 |
|
| Back to top |
|
db3l
Joined: 13 May 2009
Posts: 556
|
| Posted: Sun Nov 06, 2011 6:20 pm Post subject: |
|
|
I suspect you may need to take a wider view of your rules. Even if you have a specific DROP rule as you show, if there's an earlier rule in the chain that, for example, permits all web traffic to port 80, it'll never reach the DROP rule.
I'd dump the entire iptables and trace the rules that apply to the INPUT chain (and any associated chains called from it depending on how Webmin set up the filter) and reason about what would happen with the most recent source address, for example, that seemed to get through.
You'll still then need to figure out how to adjust the filters the way you want with Webmin (which I don't have any familiarity with), but at least you'll have an idea of why what is happening is happening.
-- David |
|
| Back to top |
|
crazyfruitbat
Joined: 12 Feb 2011
Posts: 55
|
| Posted: Sun Nov 06, 2011 9:06 pm Post subject: |
|
|
The only rules I have is for these specific addresses and fail2ban.
If I was to do this outside of webmin (ssh etc), what would you advise? |
|
| Back to top |
|
vonskippy
Joined: 27 Dec 2009
Posts: 469
Location: Colorado, USA
|
| Posted: Sun Nov 06, 2011 9:10 pm Post subject: |
|
|
Just post ALL your rules (#iptables -L)
It wouldn't have to be for that specific Source Network.
As db3l mentioned, you could have a global rule bypassing your specific DROP rule.
Might be easier to help if you stated which Distro you're using. |
|
| Back to top |
|
crazyfruitbat
Joined: 12 Feb 2011
Posts: 55
|
| Posted: Mon Nov 07, 2011 7:23 am Post subject: |
|
|
Thanks guys. My Distro is Ubuntu 10.04
Here is the output:
Code: Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain Hackers (0 references)
target prot opt source destination
DROP all -- 59.151.24.211 anywhere
Chain baidu (0 references)
target prot opt source destination
DROP all -- 180.76.0.0/16 anywhere
DROP all -- 119.63.196.0/24 anywhere
DROP all -- 180.76.5.149 anywhere
DROP all -- 180.76.5.99 anywhere
DROP all -- 180.76.5.92 anywhere
DROP all -- 180.76.5.91 anywhere
DROP all -- 180.76.5.158 anywhere
DROP all -- 180.76.5.139 anywhere
DROP all -- 180.76.5.140 anywhere
DROP all -- anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Thanks for all the help, I really do appreciate it! |
|
| Back to top |
|
db3l
Joined: 13 May 2009
Posts: 556
|
| Posted: Mon Nov 07, 2011 3:21 pm Post subject: |
|
|
crazyfruitbat wrote: Thanks guys. My Distro is Ubuntu 10.04
Here is the output:
Code: Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
So this chain essentially allows anything through to your node (other than ssh traffic that might be blocked by the fail2ban-ssh chain, though that's currently empty). It has no block rules (nor calls any other chain with any), and its policy is to accept all traffic by default. Basically your node is wide open to incoming traffic.
Your baidu chain is never called, so nothing you have in it makes any difference. If you add a rule to the INPUT chain to call the baidu chain as the target you can invoke those exclusion rules, but I'm not sure of the process to do that by webmin. You can do it manually, but I don't know if or when webmin might rewrite the rules losing local changes. Although, if the baidu chain was created by webmin, it's odd it doesn't add a call to it itself.
BTW, although you can do it either way, I prefer to exclude anything not permitted in filters rather than permit anything not excluded. So I generally recommend having all default policies as DROP and then rules specifically for permitted traffic. Though I'll admit that is a matter of preference.
-- David |
|
| Back to top |
|
| |
