Hi, I've got a machine that's been hacked twice in the past week from IP ranges in China. I have it behind a Mikrotik router. There is no reason for anything outside of NZ and AU to be looking at this box so I'm keen to just block the rest of the world from it. I'm currently thinking an address list to just block out the world or an address list to include Au and Nz. Keen for ideas. D -- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 Ph: +61 3 9111 1821 (Melb) I'M COLLECTING COFFEE CUPS FOR PROJECT COFFEE CUP. Deja vue (missing the French accent mark) - literally means already seen, that sense of haven't we been here before.
http://lmgtfy.com/?q=how+to+block+china 229 Million results. Pretty sure this has been done before. As with all block-by-IP-range solutions, consider the issues around: - Keeping the blocklist current - IP allocations change - False Positives. Or you could simply do your best to keep the system 'unhackable'. Run secure (patched and current) software, with only externally reachable services listening, and other ports/protocols blocked, etc etc. Not all Internet users in China are malicious. Not all malicious Internet users are in China either. Mark. On 8/12/2013 11:22 a.m., Don Gould wrote:
Hi,
I've got a machine that's been hacked twice in the past week from IP ranges in China.
I have it behind a Mikrotik router.
There is no reason for anything outside of NZ and AU to be looking at this box so I'm keen to just block the rest of the world from it.
I'm currently thinking an address list to just block out the world or an address list to include Au and Nz.
Keen for ideas.
D
Also, consider some "trip wire/auto banning" type software, if this is a Linux box, look at fail2ban. You will be able to find a Windows alt if this is a Windows box. On 8/12/2013 11:53, Mark Foster wrote:
http://lmgtfy.com/?q=how+to+block+china
229 Million results. Pretty sure this has been done before.
As with all block-by-IP-range solutions, consider the issues around: - Keeping the blocklist current - IP allocations change - False Positives.
Or you could simply do your best to keep the system 'unhackable'. Run secure (patched and current) software, with only externally reachable services listening, and other ports/protocols blocked, etc etc. Not all Internet users in China are malicious. Not all malicious Internet users are in China either.
Mark.
On 8/12/2013 11:22 a.m., Don Gould wrote:
Hi,
I've got a machine that's been hacked twice in the past week from IP ranges in China.
I have it behind a Mikrotik router.
There is no reason for anything outside of NZ and AU to be looking at this box so I'm keen to just block the rest of the world from it.
I'm currently thinking an address list to just block out the world or an address list to include Au and Nz.
Keen for ideas.
D
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
On 8/12/2013 11:59 a.m., Pieter De Wit wrote:
Also, consider some "trip wire/auto banning" type software, if this is a Linux box, look at fail2ban. You will be able to find a Windows alt if this is a Windows box.
Agreed. Is someone can recommend a good windows alt that would be helpful. Beer. D -- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 Ph: +61 3 9111 1821 (Melb) I'M COLLECTING COFFEE CUPS FOR PROJECT COFFEE CUP. Deja vue (missing the French accent mark) - literally means already seen, that sense of haven't we been here before.
On 8/12/2013 11:53 a.m., Mark Foster wrote:
http://lmgtfy.com/?q=how+to+block+china
229 Million results. Pretty sure this has been done before.
Was done before posting.
As with all block-by-IP-range solutions, consider the issues around: - Keeping the blocklist current - IP allocations change - False Positives.
Or you could simply do your best to keep the system 'unhackable'. Agreed Run secure (patched and current) software, with only externally reachable services listening, and other ports/protocols blocked, etc etc.
Machine was set up in to much hurry for a project that was delayed and now we're playing catch up... damb it!
Not all Internet users in China are malicious. Not all malicious Internet users are in China either.
Agreed. Hence the shout for help. This machine is for a little project that's of no concern to the world. Like you Mark, I'm not keen on blocking off bits of the world. The hits came from China based IPs, but I make no assumption at all that it has anything to do at all with people from that part of the world. I actually think it was a "friendly" just pointing out that our box needs a tidy up, our firewall needs a tidy up and a little hint to just get on with it :) That in mind, we're sorting it out as quickly as we can while also giving a heads up to the community that we're on it but also getting a bit of stick and under a bit of pressure. D -- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 Ph: +61 3 9111 1821 (Melb) I'M COLLECTING COFFEE CUPS FOR PROJECT COFFEE CUP. Deja vue (missing the French accent mark) - literally means already seen, that sense of haven't we been here before.
I've actually done this before. Back 3 or 4 years ago, probably as a
repercussion of the great firewall of China, all Chinese traffic seemed to
always have one ASN in common. We used to have a regular DDoS against a
server, and the DDoS always originated from China. I'm guessing it was a
botnet that comprised of hosts infected by something that was only
available in China or to people that read/write Chinese.
Either way, if you can get a full BGP feed, back then it was trivial to
script an ACL that blocked all China IPs. Alternatively the public FTP
servers that APNIC offer may allow you to do the same. I've parsed their
public information with a bit of awk before to make lists of IPs for
individual countries. I also considered doing something using Quagga and
communities but never got around to it.
Eventually the DDoSes eased and we stopped blocking Chinese IPs to this
server.
YMMV etc.
Cheers
Dave
On Sun, Dec 8, 2013 at 11:22 AM, Don Gould
Hi,
I've got a machine that's been hacked twice in the past week from IP ranges in China.
I have it behind a Mikrotik router.
There is no reason for anything outside of NZ and AU to be looking at this box so I'm keen to just block the rest of the world from it.
I'm currently thinking an address list to just block out the world or an address list to include Au and Nz.
Keen for ideas.
D
-- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 Ph: +61 3 9111 1821 (Melb)
I'M COLLECTING COFFEE CUPS FOR PROJECT COFFEE CUP.
Deja vue (missing the French accent mark) - literally means already seen, that sense of haven't we been here before.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Hi All, Machine is a windows box. Answer some questions: - yes rdp was a problem - yes totally my fault, just hadn't got anything that should be done, actually done. I've had some great suggestions from a bunch of people. Thanks to the folk who've helped clean this up this afternoon. Just FYI for those who are interested.... we set this box up quickly just to get a poc sorted for some stake holders to gain a bit of confidence that we could do what we said... I really didn't expect that the box would get found quite so fast and then hammered. Clearly you can't even put a quick and dirty box in place to just prove a concept without having to bolt it down. D On 8/12/2013 11:22 a.m., Don Gould wrote:
Hi,
I've got a machine that's been hacked twice in the past week from IP ranges in China.
I have it behind a Mikrotik router.
There is no reason for anything outside of NZ and AU to be looking at this box so I'm keen to just block the rest of the world from it.
I'm currently thinking an address list to just block out the world or an address list to include Au and Nz.
Keen for ideas.
D
-- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 Ph: +61 3 9111 1821 (Melb)
I'M COLLECTING COFFEE CUPS FOR PROJECT COFFEE CUP.
Deja vue (missing the French accent mark) - literally means already seen, that sense of haven't we been here before.
On Dec 8, 2013, at 8:46 AM, Don Gould
Clearly you can't even put a quick and dirty box in place to just prove a concept without having to bolt it down.
Correct - it simply isn't viable to expose an unpatched/unsecured box to the Internet at all, due to all the automated scanning/hacking activities taking place.
+1 to the other folks who recommended more workable solutions - 'GeoIP' isn't exact at all, and not all bad nodes (of any nationality) are in China.
-----------------------------------------------------------------------
Roland Dobbins
participants (5)
-
Dave Mill -
Dobbins, Roland -
Don Gould -
Mark Foster -
Pieter De Wit