2

I found this handy script online, and would like to modify it to only block SSH access but I don't know anything about iptables and Im afraid Ill kill my system as i have no physical access to it.

http://ipinfodb.com/ip_country_block_iptables.php

What should i change to only drop port 22 please?

I know hackers can use proxies etc and this won't be my only security. This reason for this is only to reduce the number of fail2ban emails i get about automated attacks from China :)

Thanks Maciej

Maciej Swic
  • 270
  • 5
  • 18

2 Answers2

4

You need the equivalent to this in your distro:

$ apt-cache show xtables-addons-common
Package: xtables-addons-common
Description-en: Extensions targets and matches for iptables [tools, libs]
 Xtables-addons provides extra modules for iptables not present in the
 kernel, and is the successor of patch-o-matic.
 Extensions includes new targets like TEE, TARPIT, CHAOS, or modules like
 geoip and account.

You are interested in the geoip module. Then add some rules to your iptables.

Check the 4th point in the HOWTO.

A simple walkthrough the example rules:

# iptables -A INPUT -m geoip --src-cc A1,A2 -j DROP

The above command adds a rule in the INPUT chain that uses the geoip module to match connections originating from a specific country, identified by its ISO 3661 code. In this case, A1 and A2 represent:

 A1 => "Anonymous Proxy" ,
 A2 => "Satellite Provider" ,

This command uses the negation (!) to invert the match, resulting in all traffic not originating from the specified country (CA, in this case) being dropped:

# iptables -A INPUT -m geoip ! --src-cc CA -j DROP

The last example shows you how create a custom chain in order to analyze traffic to your sshd server:

# iptables -N SSH_GEOIP
# iptables -A SSH_GEOIP -m geoip --src-cc CA
# iptables -A SSH_GEOIP -m geoip --src-cc DE
# iptables -A SSH_GEOIP -m geoip --src-cc US
# iptables -A SSH_GEOIP -m geoip --src-cc JP
# iptables -A SSH_GEOIP -m geoip --src-cc FR
# iptables -A SSH_GEOIP -m geoip ! --src-cc CA,DE,US,JP,FR
# iptables -A INPUT -p tcp --dport 22 -j SSH_GEOIP
dawud
  • 14,918
  • 3
  • 41
  • 61
  • Thanks, I have the binary database and the package installed but don't really understand the commands. What do i really need do drop port 22 from a given country? Also i use UFW for other stuff if that matters. – Maciej Swic Jun 01 '13 at 10:27
  • Be very careful in my experience it is not very reliable . also puts tremendous amount of workload on firewall. You may need to wait for hours during reboot. – user2366317 Jun 01 '13 at 11:12
0

As an alternative, you could filter any ssh traffic by using the hosts.deny file and then allow traffic from selected countries specifically by querying a shell script in the hosts.allow file. See this tutorial: https://www.axllent.org/docs/view/ssh-geoip/

Sean
  • 101
  • 1
  • 1
    Please include the basics of the actions needed in your answer, because external link can (and often do) become stale. Furthermore this is more about using 'geoip" than hosts.deny. – wazoox Sep 07 '18 at 11:03