Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




98 posts

Master Geek
+1 received by user: 5


# 208851 2-Mar-2017 10:28
Send private message

Hi

 

I have begun setting up a bit more security, and one of the tools I am using is Fail2Ban (https://www.fail2ban.org/wiki/index.php/Main_Page) an am using ti to set up IP's to block via at the router.   One of the things I do is get an email with a whois fro the IP when it gets blocked and it is pretty obvious that after only a couple of days 90%+ of the attempts come from 2 places, Russia/Ukraine and China with the majority from China.  It's at the point that for every 10 attempts 8 would be China, and one from either Russia/Ukraine a na 10th from a random country in the world although in that last 10% about half would be India or Korea.  

 

At the moment I am only monitoring ssh attempts, not mail or http etc, but since the site is not live or even advertised these are I guess random attacks and I imagine the volume will increase.

 

So if I could reliably block China and the old USSR countries 90% of my attackers would be stopped before they even get picked up by Fail2Ban.

 

Does anyone have any experience doing this sort of thing, how complex is it, how reliable is it?  I should point out that I can only afford free options in terms of price.  So fre data sources, OOS software and am running on Linux server and Mikrotik router.

 

cheers,


Create new topic
BDFL - Memuneh
63563 posts

Uber Geek
+1 received by user: 14052

Administrator
Trusted
Geekzone
Lifetime subscriber

3344 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  # 1728797 2-Mar-2017 10:56
Send private message

IP address blocks per country are *fairly* static, at least close enough for these purposes.

 

I would just generate a list of the offending country(ies) IP address blocks from some online service and use that either on the Mikrotik or IPTables.

 

Here is one such service: http://www.ip2location.com/free/visitor-blocker

 

For SSH another good idea is to move it to some high port (>10000) as it will greatly reduce the number of attempts against it.  And make sure you are using key-based auth instead of password.


 
 
 
 


4006 posts

Uber Geek
+1 received by user: 1728

Subscriber

  # 1728825 2-Mar-2017 11:53
Send private message

check out this dude...

 

http://joshaven.com/resources/tricks/mikrotik-automatically-updated-address-list/

 

came across it when searching the same. Haven't implemented any of it just due to lack of time/caring.




98 posts

Master Geek
+1 received by user: 5


  # 1728844 2-Mar-2017 11:59
Send private message

freitasm:

 

Some routers do it but you will notice that looking up IP will slow things down too...

 

 

 

 

Why would looking up IP slow down?


BDFL - Memuneh
63563 posts

Uber Geek
+1 received by user: 14052

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1729016 2-Mar-2017 16:40
Send private message

Not looking up IP because that would be dumb. But converting IP address to a LONG then checking a range, even if in memory, takes time. Good routers will do it easily but low range home appliances will struggle.






98 posts

Master Geek
+1 received by user: 5


  # 1729120 2-Mar-2017 21:07
Send private message

freitasm: Not looking up IP because that would be dumb. But converting IP address to a LONG then checking a range, even if in memory, takes time. Good routers will do it easily but low range home appliances will struggle.

 

I see, so added latency to incoming traffic, since we have a game server as the primary reason for being exposed to the world some lag will be added.




98 posts

Master Geek
+1 received by user: 5


  # 1729130 2-Mar-2017 21:12
Send private message

But I am doing that any way, I am banning ip addresses, picking up about 2 ip addresses per hour and adding them to a list, and the router is comparing all traffic to them for dropping or not.  

So at some point that individual ip list will become >= the list of ip blocks for those countries.

 

 


 
 
 
 


BDFL - Memuneh
63563 posts

Uber Geek
+1 received by user: 14052

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1729136 2-Mar-2017 21:19
Send private message

It's a balance. To convert an IP address to an integer your router will calculate like this (for 203.86.203.11):

 

First Octet: 203
Second Octet: 86
Third Octet: 203
Fourth Octet: 11

 

(first octet * 256³) + (second octet * 256²) + (third octet * 256) + (fourth octet)
= (first octet * 16777216) + (second octet * 65536) + (third octet * 256) + (fourth octet)
= (203 * 16777216) + (86 * 65536) + (203 * 256) + (11)
= 3411462923

 

Then the router will use this integer to search a database of integer ranges (countries can have multiple ranges) for a range this value fits within - this will be the country. This calculation and search take time - the database search is a "BETWEEN" not an "EQUALS".

 

The other option, adding banned IP addresses to an indexed list and searching  this list is very fast, compared to the previous method. This means that whatever you do, a ban-list search will always be faster than a Geo IP block list search. It's all down to CPU cycles, if this function is already built-in, how it is implemented, etc.







98 posts

Master Geek
+1 received by user: 5


  # 1729178 2-Mar-2017 22:43
Send private message

It's not a built in function, so I have mikrotik router, and a firewall rules to drop traffic from a list,  on the server I run fail2ban, and it uses a script to update the list on the router.  Currently I only ban for 78 days, but because the IP address is not yet advertised (as in not running a web site, not posting links in web forums to it etc) I guess the current attack attempts are just random dumb luck bots trying ip addresses and not in any way a focused attempt to hack.  Most are trying to login nas root or admin via ssh so I think trying a dictionary attack of knowns router passwords to see if they get lucky.

 

Any way I looked at the China ip block list, 5800+ blocks, so for now I will live it just blocking those that attempt to access the server.


27876 posts

Uber Geek
+1 received by user: 7371

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1729222 3-Mar-2017 07:31
One person supports this post
Send private message

Why do you have SSH exposed to the internet in the first place? This really should be avoided.

 

 

 

 




98 posts

Master Geek
+1 received by user: 5


  # 1729228 3-Mar-2017 07:55
Send private message

sbiddle:

 

Why do you have SSH exposed to the internet in the first place? This really should be avoided.

 

 

 

 

 

 

 

 

Ahh, so simple, all I have to do is never access the server from off site. Problem solved thank you.


27876 posts

Uber Geek
+1 received by user: 7371

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1729236 3-Mar-2017 08:07
Send private message

RobBB:

 

sbiddle:

 

Why do you have SSH exposed to the internet in the first place? This really should be avoided.

 

 

 

 

 

 

 

 

Ahh, so simple, all I have to do is never access the server from off site. Problem solved thank you.

 

 

I still don't understand why you have SSH exposed. You can easily access the server off site via VPN which is the simple way to get around not exposing SSH to the internet.

 

Exposing any ports carries risk, and the way to remove that risk is to not open it up to the entire internet. You can blacklist all you want, but at the end of the day your front door is still unlocked. A VPN locks your door and removes that risk entirely. With a Mikrotik it's literally 60 seconds to have a fully secured IPSEC VPN up and working.

 

 

 

 

 

 

 

 




98 posts

Master Geek
+1 received by user: 5


  # 1729242 3-Mar-2017 08:18
Send private message

sbiddle:

 

RobBB:

 

sbiddle:

 

Why do you have SSH exposed to the internet in the first place? This really should be avoided.

 

 

 

 

 

 

 

 

Ahh, so simple, all I have to do is never access the server from off site. Problem solved thank you.

 

 

I still don't understand why you have SSH exposed. You can easily access the server off site via VPN which is the simple way to get around not exposing SSH to the internet.

 

 

 

 

 

 

How can you not understand?  It is so simple and obvious, I am not a networking expert.  If I was I would not be asking for advice?  Perhaps you could have started off with something like "Hey, ssh is not a good idea, are you aware of how easy and secure a VPN setup would be with that router?"  

 

 


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Anyone can broadcast with Kordia Pop Up TV
Posted 13-Jun-2019 10:51


Volvo and Uber present production vehicle ready for self-driving
Posted 13-Jun-2019 10:47


100,000 customers connected to fibre broadband network through Enable
Posted 13-Jun-2019 10:35


5G uptake even faster than expected
Posted 12-Jun-2019 10:01


Xbox showcases 60 anticipated games
Posted 10-Jun-2019 20:24


Trend Micro Turns Public Hotspots into Secure Networks with WiFi Protection for Mobile Devices
Posted 5-Jun-2019 13:24


Bold UK spinoff for beauty software company Flossie
Posted 2-Jun-2019 14:10


Amazon Introduces Echo Show 5
Posted 1-Jun-2019 15:32


Epson launches new 4K Pro-UHD projector technology
Posted 1-Jun-2019 15:26


Lenovo and Qualcomm unveil first 5G PC called Project Limitless
Posted 28-May-2019 20:23


Intel introduces new 10th Gen Intel Core Processors and Project Athena
Posted 28-May-2019 19:28


Orcon first to trial residential 10Gbps broadband
Posted 28-May-2019 11:20


Video game market in New Zealand passes half billion dollar mark
Posted 24-May-2019 16:15


WLG-X festival to celebrate creativity and innovation
Posted 22-May-2019 17:53


HPE to acquire supercomputing leader Cray
Posted 20-May-2019 11:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.