How do I block a host by ASN? Example - AS16276

8

5

There are a handful of especially toxic hosts out there. There is no reason we need to allow any of their IP's access to our servers. Is there a way we can block them using their ASN or other global identifier? I would prefer to do this in HTACCESS for app/server portability, but APF is fine too.

An example would be blocking the following hosts. Over 50% of their IP's are on blacklists already, or they operate proxy exit points for companies like PacketFlip:

  • AS4134 - ChinaNet
  • AS9808 - Guangdong Mobile Com
  • AS16276 - OVH SAS
  • AS15003 - Nobis Tech Group
  • AS36352 - ColoCrossing
  • AS29761 - QuadraNet
  • AS15895 - Kyivstar PJSC
  • AS50915 - S.C. Everhost S.R.L.
  • AS53889 - Micfo
  • AS57858 - Fiber Grid OU

dhaupin

Posted 2014-09-12T14:46:43.930

Reputation: 343

Answers

9

You can use https://www.enjen.net/asn-blocklist/

An example i.e. colocrossing: https://www.enjen.net/asn-blocklist/index.php?asn=AS36352&type=htaccess

If you need to download it to a server and don't want html then add &api=1 to the end of the link.

Mun

Posted 2014-09-12T14:46:43.930

Reputation: 106

1Welcome to SuperUser.SE. In your response, it would be better if you could provide some information about the web sites in case that change their address. – LDC3 – 2014-10-06T04:46:34.990

What do you mean? – Mun – 2014-10-08T04:05:17.893

1Sometimes the websites change their address so the links you post will not work. If you describe what the links go to, then when a link gets broken, some people may be able to find it by doing a web search. – LDC3 – 2014-10-08T04:14:03.630

2pretty simple search asn-blocklist on google. It shouldn't change address though. – Mun – 2014-10-08T04:22:36.537

1@Mun Thanks, that is exactly what I needed, esp with the api capability. @ LDC3 the link is a blacklist creator from ASN. It makes various paste-friendly lists of IP's to make the complete ASN package. I guess a G search would be something like "ASN htaccess block maker"... – dhaupin – 2014-12-16T00:04:58.140

5

Check out mod_asn:

mod_asn is an Apache module that uses BGP routing data to look up the autonomous system (AS) and the network prefix (subnet) which contains a given (clients) IP address.

mod_asn is usable as standalone module, and the lookup result can be used by scripts or other Apache modules. For instance, a download redirector could base its decisions on the lookup result provided by mod_asn.

I don't have any direct experience with this, but it sounds promising.

Someone with direct experience with this module should feel free to edit this answer to add relevant specific details.

Additionally, you can talk with your network administrator to have these ASNs blocked or ignored at the router, then you don't have to make this an application configuration problem. A (major?) drawback to the mod_asn approach is that it doesn't stop naughty IP addresses from trying to attack other services on your host or network, it will only drop HTTP/HTTPS requests to the configured apache servers.

webmarc

Posted 2014-09-12T14:46:43.930

Reputation: 831

Would they ignore them at router by IP or something else? And thanks ive never heard of that one, it looks pretty cool. I'll hold off marking answered for now just in case others have thoughts too. Any mod_asn users got tips? – dhaupin – 2014-09-12T23:24:13.560

By ASN, the routers speak BGP and know how to filter by ASN – webmarc – 2014-09-13T19:01:05.817

0

So in regards to this statement: CSF I wanted to clarify a few things. You can automate with asn-blocklist. All you need to do is add '&api=1' to the end of your url. For example: https://www.enjen.net/asn-blocklist/index.php?asn=AS36352&type=nginx&api=1

This will download a raw version of the file without any html. All you need to do after such is automate with a simple bash script on using wget, copying over the old file, and reloading your program(nginx).

#!/bin/bash

mkdir /tmp/asn
cd /tmp/asn

wget --content-disposition "https://www.enjen.net/asn-blocklist/index.php?asn=AS36352&type=nginx&api=1"
wget --content-disposition "https://www.enjen.net/asn-blocklist/index.php?asn=AS133165&type=nginx&api=1"
## Repeat wget here for all the asns you want. 

cp /tmp/asn/* /etc/nginx/conf.d/
service nginx reload

rm -rf /tmp/asn
echo done...

In effect, you can quickly keep your blocklist(s) up to date, and without the use of manual importing of the blocklist(s).

At that it is simply understanding your usage case / platform to automate the script for your personal needs.

Mun

Posted 2014-09-12T14:46:43.930

Reputation: 1

1

This is really a comment and not an answer to the original question. To critique or request clarification from an author, leave a comment below their post - you can always comment on your own posts, and once you have sufficient reputation you will be able to comment on any post. Please read Why do I need 50 reputation to comment? What can I do instead?

– DavidPostill – 2016-09-06T21:26:56.173

-1

Ok, although Mun's answer is spot on for finding ASN's, it relies on static checks/updates then pasting into deny lists/firewalls. I have been using APF for too long. Looking through configs, I realized that CSF firewall has an option to block via ASN and/or country code (ISO). It queries Maxmind GEOIP database. Here is the desc from /etc/csf/csf.conf

SECTION:Country Code Lists and Settings

Country Code to CIDR allow/deny. In the following two options you can allow or deny whole country CIDR ranges. The CIDR blocks are generated from the Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry and entirely relies on that service being available

Specify the the two-letter ISO Country Code(s). The iptables rules are for incoming connections only

Additionally, ASN numbers can also be added to the comma separated lists below that also list Country Codes. The same WARNINGS for Country Codes apply to the use of ASNs. More about Autonomous System Numbers (ASN): http://www.iana.org/assignments/as-numbers/as-numbers.xhtml

You should consider using LF_IPSET when using any of the following options

WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use non-geographic IP address designations for their clients

WARNING: Some of the CIDR lists are huge and each one requires a rule within the incoming iptables chain. This can result in significant performance overheads and could render the server inaccessible in some circumstances. For this reason (amongst others) we do not recommend using these options

WARNING: Due to the resource constraints on VPS servers this feature should not be used on such systems unless you choose very small CC zones

WARNING: CC_ALLOW allows access through all ports in the firewall. For this reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is preferred

Each option is a comma separated list of CC's, e.g. "US,GB,DE"

The conf options in question are these:

CC_DENY=""

CC_ALLOW=""

And there are more specific filters below it in the conf file to further groom blockage.

dhaupin

Posted 2014-09-12T14:46:43.930

Reputation: 343

Asked: 2014-09-12T14:46:43.930

Viewed: 10 955 times

Active: 2016-09-06T15:17:38.020