Gentoo Linux -- List Archive: gentoo-security

Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647

List Archive: gentoo-security

Navigation:

Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >

Headers:

To:	gentoo-security@g.o
From:	Brian Micek <bmicek@...>
Subject:	Re: [OT?] automatically firewalling off IPs
Date:	Thu, 06 Oct 2005 17:05:08 -0400

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2">
</HEAD>
<BODY>
Attached are my scripts I generate in a cron job to block China and Korea if anyone is interested.&nbsp; I've observed the CIDRs to these countries change so it might be a good idea to have semi-recent copies. <BR>
<BR>
Brian <BR>
<BR>
On Thu, 2005-10-06 at 15:02 -0600, Kirk Hoganson wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">Matan Peled said the following:</FONT>
<FONT COLOR="#000000">&gt; -----BEGIN PGP SIGNED MESSAGE-----</FONT>
<FONT COLOR="#000000">&gt; Hash: SHA1</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; William Kenworthy wrote:</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt;&gt;Can anyone comment whether IP spoofing (for hiding country of origin) is</FONT>
<FONT COLOR="#000000">&gt;&gt;common?  Seems quite unlikely - at least at the current state of things.</FONT>
<FONT COLOR="#000000">&gt;&gt;Is it even possible to tell (at the firewall interface?)</FONT>
<FONT COLOR="#000000">&gt;&gt;</FONT>
<FONT COLOR="#000000">&gt;&gt;BillK</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; I think that for hiding country of origin by IP spoofing is quite useless, at</FONT>
<FONT COLOR="#000000">&gt; least on the Internet (It might work on a single subnet, or if you pretend to be</FONT>
<FONT COLOR="#000000">&gt; another IP in your subnet, and then switches complicate it as well...)</FONT>
<FONT COLOR="#000000">&gt; </FONT>

<FONT COLOR="#000000">I think it depends on your purpose.  It is easy to get around, but </FONT>
<FONT COLOR="#000000">blocking whole ranges based on country could help cut down on the </FONT>
<FONT COLOR="#000000">vulerability scans that can be so annoying.  Our country does no </FONT>
<FONT COLOR="#000000">business with China, yet various subnets are frequently scanned from </FONT>
<FONT COLOR="#000000">addresses originating there.  Blocking those ranges would cause most of </FONT>
<FONT COLOR="#000000">them to move on.  It is likely that you already block whole invalid </FONT>
<FONT COLOR="#000000">subnets in your firewall rules anyway.</FONT>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>

Attachment:

block-cn.sh (application/shellscript)

Attachment:

block-kr.sh (application/shellscript)

Attachment:

undo-block-cn.sh (application/shellscript)

Attachment:

undo-block-kr.sh (application/shellscript)

Attachment:

signature.asc (This is a digitally signed message part)

References:

RE: [OT?] automatically firewalling off IPs
-- Tad Glines