Block range of IP Addresses

Question

I am getting bombarded with attempted hacks from China all with similar IPs.

How would I block the IP range with something like 116.10.191.* etc.

I am running Ubuntu Server 13.10.

The current line I am using is:

sudo /sbin/iptables -A INPUT -s 116.10.191.207 -j DROP

This only lets me block each one at a time but the hackers are changing the IPs at every attempt.

you should take a look at fail2ban it's really good at dynamically banning nuisance IP addresses. — user9517, Apr 29 '14 at 17:07
I also like to add knockd to eliminate virtually 100% of failed access attempts from my logs. https://help.ubuntu.com/community/PortKnocking — Bruno Bronosky, Jan 05 '17 at 18:49
pam_shield could be of help here. https://github.com/jtniehof/pam_shield — Daniel, May 17 '19 at 11:19

score 116 · Accepted Answer · edited Jun 22 '17 at 19:24

116

To block 116.10.191.* addresses:

$ sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP

To block 116.10.*.* addresses:

$ sudo iptables -A INPUT -s 116.10.0.0/16 -j DROP

To block 116.*.*.* addresses:

$ sudo iptables -A INPUT -s 116.0.0.0/8 -j DROP

But be careful what you block using this method. You don't want to prevent legitmate traffic from reaching the host.

edit: as pointed out, iptables evaluates rules in sequential order. Rules higher in the ruleset are applied before rules lower in the ruleset. So if there's a rule higher in your ruleset that allows said traffic, then appending (iptables -A) the DROP rule will not produce the intended blocking result. In this case, insert (iptables -I) the rule either:

as the first rule

sudo iptables -I ...

or before the allow rule

sudo iptables --line-numbers -vnL

say that shows rule number 3 allows ssh traffic and you want to block ssh for an ip range. -I takes an argument of an integer that's the location in your ruleset you want the new rule to be inserted

iptables -I 2 ...

edited Jun 22 '17 at 19:24

Community

1

answered Apr 29 '14 at 16:18

Creek

1,356
1
8
10

Check https://www.arin.net/ and [block the entire range of Amsterdam owned ip ranges](https://whois.arin.net/rest/net/NET-37-0-0-0-1/pft?s=37.59.136.19). That place is RIPE with probing spiders - i doubt there is any legitimate traffic coming out of there. – WEBjuju Feb 07 '17 at 15:50
note that this may not work depending on the **order of the iptable rules**, see answer http://serverfault.com/a/507502/1 – Jeff Atwood Mar 08 '17 at 13:20
2

o snap @JeffAtwood I am honored by your comment. answer updated ;) – Creek Mar 18 '17 at 23:20
And how do you unblock a certain range? – bzero Feb 07 '18 at 20:48
I like this explanation, specially about the -I flag that makes this rule precedence over the other rules before it. Any chance you could share this with firewalld-cmd command? – gstlouis Oct 01 '20 at 16:20
@bzero - you can delete a rule from iptables with the -D action. Here's one example invocation (to delete an existing rule): `sudo iptables -D INPUT -s 116.0.0.0/8 -j DROP`. You may also create rules before the DROP instruction to `-j ACCEPT`. Let's say you are already blocking all of 116.0.0.0/8 but you want to allow 166.1.0.0/8: `sudo iptables -I INPUT -s 116.1.0.0/16 -j ACCEPT` – Mark Sep 15 '21 at 21:08

score 11 · Answer 2 · answered Apr 29 '14 at 16:18

11

sudo /sbin/iptables -A INPUT -s 116.10.191.0/24 -j DROP

This blocks the range. You can expand the subnet as needed with the same general format.

answered Apr 29 '14 at 16:18

Nathan C

14,901
4
42
62

will this work on the entire 4th set range? Like is the 0/24 only 0-24. I tried for example 500 but it didn't work. Will 0/24 cover all those other numbers in the 100s and 200s – Stephen Cioffi Apr 29 '14 at 16:24
3

@Stephen It's a CIDR range. If you need to calculate it for a different range, use this: http://www.subnet-calculator.com/cidr.php – Nathan C Apr 29 '14 at 16:25

score 4 · Answer 3 · edited Mar 14 '15 at 21:34

4

As an alternative approach you could use something as simple as fail2ban. It institutes a timeout for successive failed login attempts and makes bruteforcing infeasible since they only get a few chances per timeout. I set my time out length to 30 minutes. By the time they're an hour or two in, they realize they won't be able to make any headway and give up.

edited Mar 14 '15 at 21:34

Esa Jokinen

43,252
2
75
122

answered Mar 14 '15 at 20:23

temet

41
1

Also, blocking whole countries may inhibit authorized use. – Esa Jokinen Mar 14 '15 at 21:14
I realize this thread to be over a year old but I wanted to let people know something. I have fail2ban installed and running but I also regularly check my server logs. There's this IP range `89.248.x.x` that keeps trying different email logins roughly after an hour from the last attempt, throughout the day. Apparently keeping the `findtime` in fail2ban at 30mins is no longer enough to keep every nasty script kiddie out. – Tanzeel Kazi Jul 04 '16 at 03:32

Block range of IP Addresses

3 Answers3