4

We have a server that consistently gets pounded by people trying to break in. We have DenyHosts and Fail2Ban running on the server but it still gets a ton of traffic from people who are up to no good. My boss is finally tired of it, he went to http://ipinfodb.com/ip_country_block.php and created a list of ip ranges that he wants to block from the server. The thing is it is a list just over 13,000 ips.

What is the best way to block these ips? I could write a script to loop through the list and add them to iptables but this seems like a bad idea. I can paste the list into DenyHosts but I am not sure what the performance hit on this would be. Would there be a better alternative than either of these?

Is there anyone out there that can give me some advice on this?

  • 1
    Is it possible to solve this the other way around? BLock everything, then whitelist IPs? – Bonsi Scott Dec 03 '12 at 17:46
  • For IOS, there are configs out there that include blocks for africa, and prob other problem sources.... – Jonesome Reinstate Monica Dec 03 '12 at 17:58
  • What service is being attacked? If it's SSH just change port number to some random one (this will get rid of 99% hacking attempts), if it's WWW you might consider using a secure authentication method (no, Basic Authentication is not secure), for FTP you might consider enforcing SSL/TLS authentication (this will also get rid of 99% hacking attempts). If you need to block so many IP addresses then maybe it'd be better to whitelist trusted IPs and block everything else. – FINESEC Dec 03 '12 at 22:27
  • I wish it was just SSH. It has been an ongoing struggle on this server to keep it secure. –  Dec 04 '12 at 17:19

1 Answers1

2

Use ipset to create set of IP ranges (with a script probably) and then use --match-set in iptables rule. This way matching will be pretty efficient because ipsets are hashed.

Eugene
  • 491
  • 1
  • 3
  • 11