Ubuntu – Block range of IP Addresses

hackingipip addressiptablesUbuntu

I am getting bombarded with attempted hacks from China all with similar IPs.

How would I block the IP range with something like 116.10.191.* etc.

I am running Ubuntu Server 13.10.

The current line I am using is:

sudo /sbin/iptables -A INPUT -s 116.10.191.207 -j DROP

This only lets me block each one at a time but the hackers are changing the IPs at every attempt.

Best Answer

To block 116.10.191.* addresses:

$ sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP

To block 116.10.*.* addresses:

$ sudo iptables -A INPUT -s 116.10.0.0/16 -j DROP

To block 116.*.*.* addresses:

$ sudo iptables -A INPUT -s 116.0.0.0/8 -j DROP

But be careful what you block using this method. You don't want to prevent legitmate traffic from reaching the host.

edit: as pointed out, iptables evaluates rules in sequential order. Rules higher in the ruleset are applied before rules lower in the ruleset. So if there's a rule higher in your ruleset that allows said traffic, then appending (iptables -A) the DROP rule will not produce the intended blocking result. In this case, insert (iptables -I) the rule either:

as the first rule

sudo iptables -I ...

or before the allow rule

sudo iptables --line-numbers -vnL

say that shows rule number 3 allows ssh traffic and you want to block ssh for an ip range. -I takes an argument of an integer that's the location in your ruleset you want the new rule to be inserted

iptables -I 2 ...

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Ubuntu Server attack? how to solve

Frankly, why bother? Most servers get hundreds of scans and login attempts per day. It's simply impossible to manually block them all.

Your firewall seems to be doing it's job. After all it's blocking the unwanted traffic.

Make sure you don't run any unneeded services. The fewer there is available, the fewer there is to break into.

To secure SSH: Make sure you configure SSH to deny login by root. Verify that the passwords of all SSH accounts are strong. Denyhosts will automatically block IP's after a few failed login attempts (very useful), but make sure you whitelist your own IP range or you'll risk being locked out yourself. Also very effective is to run SSH on a different port, since most attacks only try port 22.

I would only take action when it's affecting your services or bandwidth. Check whois for the owner of the netblock from which the traffic is coming, and provide a clear and friendly complaint to the owner's Abuse address. If they don't reply in a reasonable time, go to their ISP, etc.

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Ubuntu Server attack? how to solve

Related Topic