Loading ...
Sorry, an error occurred while loading the content.

NSLU2 web server was attacked by chinese computers, use of iptables

Expand Messages
  • reuter.rudolf
    HowTo block IP number ranges from input with iptables. Unfortunately kernel-module-ipt-iprange is missing in the slugOS5 feed. My NSLU2 web server (moinmoin
    Message 1 of 5 , Mar 2 11:04 PM
    • 0 Attachment
      HowTo block IP number ranges from input with iptables.
      Unfortunately kernel-module-ipt-iprange is missing in the slugOS5 feed.

      My NSLU2 web server (moinmoin Python standalone server) was yesterday
      attacked by chinese cmputers (use Reverse DNS), so my web site was no
      longer available to the public. The IP numbers in the access log of
      the web server showed in most cases at "reverse DNS" that they come
      from China. So what to do?
      Google was my friend and I found under http://www.okean.com a list
      (china.txt) of IP number ranges (530) from China. Most of the
      attackers IP numbers could be found in those number ranges. But how to
      exclude them from web server access?
      A search in the internet recommended the use of iptables. Up to now I
      have seen only to exclude single IP numbers from access. Fortunately
      there is an extension to iptables available "iprange" (kernel-module).
      What has to be installed:
      ipkg install iptables
      ipkg install iptables-utils
      ipkg install iptables-doc
      ipkg install kernel-module-ip-tables
      ipkg install kernel-module-ipt-iprange # fehlt in SlugOS5
      depmode -a
      modprobe ip_tables
      modprobe ipt-iprange
      Test:
      root@LKG95AC9E:~$ lsmod
      Module Size Used by
      ipt_iprange 832 529
      iptable_filter 1472 1
      ip_tables 9832 1 iptable_filter
      x_tables 8548 2 ipt_iprange,ip_tables

      How to define ranges in iptables, example:
      iptables -A INPUT -m iprange --src-range 58.14.0.0-58.25.255.255 -j DROP

      You can imagin, that it is not very convenient to type 530 lines like
      the above. So I wrote a little Python script to do the work:
      #!/usr/bin/env python
      # use: script to setup iptables with blacklist iprange
      # 2009-03-02 iptables_blacklist.py, RR

      blacklist = "china_blacklist.txt"
      blacklist_sh = "china_blacklist.sh"

      sline = ""
      sline2 = ""
      sline3 = ""

      try:
      fbl = file(blacklist, 'r')
      fbls = file(blacklist_sh, 'w')
      fbls.write("#!/bin/sh \n")
      for sline in fbl:
      if sline.find("#"): # filter comments
      sline2 = sline.replace(' - ', '-')
      sline2 = sline2.replace(' China', '')
      sline2 = sline2.replace('\n', '') # remove EOL
      #print sline2 # append "," for no EOL
      sline3 = "iptables -I INPUT -m iprange --src-range "
      sline3 = sline3 + sline2 + " -j DROP"
      fbls.write(sline3 + "\n")
      fbl.close()
      fbls.close()
      except:
      print 'File not found: ' + blacklist

      After editing the file iptables_blacklist.py either set the execute
      bits, or call "python iptables_blacklist.py".
      Then either set the execute bits of "china_blacklist.sh", or call "sh
      china_blacklist.sh". Test it with:
      root@LKG95AC9E:~/iptables$ iptables -L
      Chain INPUT (policy ACCEPT)
      target prot opt source destination
      DROP all -- anywhere anywhere source IP
      range 222.240.0.0-222.249.249.255
      ...

      In order to save the iptables settings use "iptables-save
      >iptables.sav". After that you can restore the parameters with
      "iptables-restore iptables.sav".
      What I have not done up to now is to provide a startup script in
      /etc/init.d.

      I hope it will help people who are in the same situation like me.
      Regards, Rudolf

      p.s. Unfortunately kernel-module-ipt-iprange is missing in the slugOS5
      feed.
    • Mario Ruprecht
      Maybe Fail2Ban could be an alternative to control iptables? http://www.fail2ban.org/wiki/index.php/Main_Page Not sure if it s available for Unslung, though.
      Message 2 of 5 , Mar 2 11:29 PM
      • 0 Attachment
        Maybe Fail2Ban could be an alternative to control iptables?
         
        Not sure if it's available for Unslung, though.
         
        Cheers, Mario

        --
        http://www.knecht-ruprecht.info

         


        From: nslu2-linux@yahoogroups.com [mailto:nslu2-linux@yahoogroups.com] On Behalf Of reuter.rudolf
        Sent: Tuesday, March 03, 2009 8:05 AM
        To: nslu2-linux@yahoogroups.com
        Subject: [nslu2-linux] NSLU2 web server was attacked by chinese computers, use of iptables

        HowTo block IP number ranges from input with iptables.
        Unfortunately kernel-module- ipt-iprange is missing in the slugOS5 feed.

        My NSLU2 web server (moinmoin Python standalone server) was yesterday
        attacked by chinese cmputers (use Reverse DNS), so my web site was no
        longer available to the public. The IP numbers in the access log of
        the web server showed in most cases at "reverse DNS" that they come
        from China. So what to do?
        Google was my friend and I found under http://www.okean. com a list
        (china.txt) of IP number ranges (530) from China. Most of the
        attackers IP numbers could be found in those number ranges. But how to
        exclude them from web server access?
        A search in the internet recommended the use of iptables. Up to now I
        have seen only to exclude single IP numbers from access. Fortunately
        there is an extension to iptables available "iprange" (kernel-module) .
        What has to be installed:
        ipkg install iptables
        ipkg install iptables-utils
        ipkg install iptables-doc
        ipkg install kernel-module- ip-tables
        ipkg install kernel-module- ipt-iprange # fehlt in SlugOS5
        depmode -a
        modprobe ip_tables
        modprobe ipt-iprange
        Test:
        root@LKG95AC9E: ~$ lsmod
        Module Size Used by
        ipt_iprange 832 529
        iptable_filter 1472 1
        ip_tables 9832 1 iptable_filter
        x_tables 8548 2 ipt_iprange, ip_tables

        How to define ranges in iptables, example:
        iptables -A INPUT -m iprange --src-range 58.14.0.0-58. 25.255.255 -j DROP

        You can imagin, that it is not very convenient to type 530 lines like
        the above. So I wrote a little Python script to do the work:
        #!/usr/bin/env python
        # use: script to setup iptables with blacklist iprange
        # 2009-03-02 iptables_blacklist. py, RR

        blacklist = "china_blacklist. txt"
        blacklist_sh = "china_blacklist. sh"

        sline = ""
        sline2 = ""
        sline3 = ""

        try:
        fbl = file(blacklist, 'r')
        fbls = file(blacklist_ sh, 'w')
        fbls.write(" #!/bin/sh \n")
        for sline in fbl:
        if sline.find(" #"): # filter comments
        sline2 = sline.replace( ' - ', '-')
        sline2 = sline2.replace( ' China', '')
        sline2 = sline2.replace( '\n', '') # remove EOL
        #print sline2 # append "," for no EOL
        sline3 = "iptables -I INPUT -m iprange --src-range "
        sline3 = sline3 + sline2 + " -j DROP"
        fbls.write(sline3 + "\n")
        fbl.close()
        fbls.close()
        except:
        print 'File not found: ' + blacklist

        After editing the file iptables_blacklist. py either set the execute
        bits, or call "python iptables_blacklist. py".
        Then either set the execute bits of "china_blacklist. sh", or call "sh
        china_blacklist. sh". Test it with:
        root@LKG95AC9E: ~/iptables$ iptables -L
        Chain INPUT (policy ACCEPT)
        target prot opt source destination
        DROP all -- anywhere anywhere source IP
        range 222.240.0.0- 222.249.249. 255
        ...

        In order to save the iptables settings use "iptables-save

        >iptables.sav" .
        After that you can restore the parameters with
        "iptables-restore iptables.sav" .
        What I have not done up to now is to provide a startup script in
        /etc/init.d.

        I hope it will help people who are in the same situation like me.
        Regards, Rudolf

        p.s. Unfortunately kernel-module- ipt-iprange is missing in the slugOS5
        feed.

      • reuter.rudolf
        Hello Mario, as a fist thing, I forgot to mention I am using slugOS 4.8 on my NSLU2. Fail2Ban is an interesting program. But it is mainly for SSH use. See the
        Message 3 of 5 , Mar 3 12:03 AM
        • 0 Attachment
          Hello Mario,

          as a fist thing, I forgot to mention I am using slugOS 4.8 on my NSLU2.

          Fail2Ban is an interesting program. But it is mainly for SSH use. See
          the docu:
          First of all, remember that Fail2ban is a log parser. It cannot do
          anything before something is written in the log files.
          ... and is mainly looking for password abuse.

          Therefore it would not help in my case.

          Regards, Rudolf

          --- In nslu2-linux@yahoogroups.com, "Mario Ruprecht" <mario@...> wrote:
          >
          > Maybe Fail2Ban could be an alternative to control iptables?
          > http://www.fail2ban.org/wiki/index.php/Main_Page
          >
          > Not sure if it's available for Unslung, though.
          >
          > Cheers, Mario
          >
          > --
          > <http://www.knecht-ruprecht.info/> http://www.knecht-ruprecht.info
          >
          >
          >
          >
          > _____
          >
          > From: nslu2-linux@yahoogroups.com [mailto:nslu2-linux@yahoogroups.com]
          > On Behalf Of reuter.rudolf
          > Sent: Tuesday, March 03, 2009 8:05 AM
          > To: nslu2-linux@yahoogroups.com
          > Subject: [nslu2-linux] NSLU2 web server was attacked by chinese
          > computers, use of iptables
          >
          >
          >
          > HowTo block IP number ranges from input with iptables.
          > Unfortunately kernel-module-ipt-iprange is missing in the slugOS5 feed.
          >
          > My NSLU2 web server (moinmoin Python standalone server) was yesterday
          > attacked by chinese cmputers (use Reverse DNS), so my web site was no
          > longer available to the public. The IP numbers in the access log of
          > the web server showed in most cases at "reverse DNS" that they come
          > from China. So what to do?
          > Google was my friend and I found under http://www.okean
          > <http://www.okean.com> com a list
          > (china.txt) of IP number ranges (530) from China. Most of the
          > attackers IP numbers could be found in those number ranges. But how to
          > exclude them from web server access?
          > A search in the internet recommended the use of iptables. Up to now I
          > have seen only to exclude single IP numbers from access. Fortunately
          > there is an extension to iptables available "iprange" (kernel-module).
          > What has to be installed:
          > ipkg install iptables
          > ipkg install iptables-utils
          > ipkg install iptables-doc
          > ipkg install kernel-module-ip-tables
          > ipkg install kernel-module-ipt-iprange # fehlt in SlugOS5
          > depmode -a
          > modprobe ip_tables
          > modprobe ipt-iprange
          > Test:
          > root@LKG95AC9E:~$ lsmod
          > Module Size Used by
          > ipt_iprange 832 529
          > iptable_filter 1472 1
          > ip_tables 9832 1 iptable_filter
          > x_tables 8548 2 ipt_iprange,ip_tables
          >
          > How to define ranges in iptables, example:
          > iptables -A INPUT -m iprange --src-range 58.14.0.0-58.25.255.255 -j DROP
          >
          > You can imagin, that it is not very convenient to type 530 lines like
          > the above. So I wrote a little Python script to do the work:
          > #!/usr/bin/env python
          > # use: script to setup iptables with blacklist iprange
          > # 2009-03-02 iptables_blacklist.py, RR
          >
          > blacklist = "china_blacklist.txt"
          > blacklist_sh = "china_blacklist.sh"
          >
          > sline = ""
          > sline2 = ""
          > sline3 = ""
          >
          > try:
          > fbl = file(blacklist, 'r')
          > fbls = file(blacklist_sh, 'w')
          > fbls.write("#!/bin/sh \n")
          > for sline in fbl:
          > if sline.find("#"): # filter comments
          > sline2 = sline.replace(' - ', '-')
          > sline2 = sline2.replace(' China', '')
          > sline2 = sline2.replace('\n', '') # remove EOL
          > #print sline2 # append "," for no EOL
          > sline3 = "iptables -I INPUT -m iprange --src-range "
          > sline3 = sline3 + sline2 + " -j DROP"
          > fbls.write(sline3 + "\n")
          > fbl.close()
          > fbls.close()
          > except:
          > print 'File not found: ' + blacklist
          >
          > After editing the file iptables_blacklist.py either set the execute
          > bits, or call "python iptables_blacklist.py".
          > Then either set the execute bits of "china_blacklist.sh", or call "sh
          > china_blacklist.sh". Test it with:
          > root@LKG95AC9E:~/iptables$ iptables -L
          > Chain INPUT (policy ACCEPT)
          > target prot opt source destination
          > DROP all -- anywhere anywhere source IP
          > range 222.240.0.0-222.249.249.255
          > ...
          >
          > In order to save the iptables settings use "iptables-save
          > >iptables.sav". After that you can restore the parameters with
          > "iptables-restore iptables.sav".
          > What I have not done up to now is to provide a startup script in
          > /etc/init.d.
          >
          > I hope it will help people who are in the same situation like me.
          > Regards, Rudolf
          >
          > p.s. Unfortunately kernel-module-ipt-iprange is missing in the slugOS5
          > feed.
          >
        • Mario Ruprecht
          No, it s not limited to this use case. I know colleagues who are using it to find spammers (email servers in addition to SpamAssasin) or monitoring Apache and
          Message 4 of 5 , Mar 3 12:11 AM
          • 0 Attachment
            No, it's not limited to this use case. I know colleagues who are using it to find spammers (email servers in addition to SpamAssasin) or monitoring Apache and FTP log files.
            Can handle more than one service (sshd, apache, vsftpd, etc).
             
            Cheers, Mario

            --
            http://www.knecht-ruprecht.info

             


            From: nslu2-linux@yahoogroups.com [mailto:nslu2-linux@yahoogroups.com] On Behalf Of reuter.rudolf
            Sent: Tuesday, March 03, 2009 9:03 AM
            To: nslu2-linux@yahoogroups.com
            Subject: [nslu2-linux] Re: NSLU2 web server was attacked by chinese computers, use of iptables

            Hello Mario,

            as a fist thing, I forgot to mention I am using slugOS 4.8 on my NSLU2.

            Fail2Ban is an interesting program. But it is mainly for SSH use. See
            the docu:
            First of all, remember that Fail2ban is a log parser. It cannot do
            anything before something is written in the log files.
            ... and is mainly looking for password abuse.

            Therefore it would not help in my case.

            Regards, Rudolf

            --- In nslu2-linux@ yahoogroups. com, "Mario Ruprecht" <mario@...> wrote:

            >
            > Maybe Fail2Ban could
            be an alternative to control iptables?
            >
            href="http://www.fail2ban.org/wiki/index.php/Main_Page">http://www.fail2ban .org/wiki/ index.php/ Main_Page
            >
            > Not sure if it's available for Unslung, though.
            >
            >
            Cheers, Mario
            >
            > --
            > <
            href="http://www.knecht-ruprecht.info/">http://www.knecht- ruprecht. info/> http://www.knecht- ruprecht. info
            >
            >
            >
            >
            > _____
            >
            > From:
            href="mailto:nslu2-linux%40yahoogroups.com">nslu2-linux@ yahoogroups. com [mailto:nslu2-linux@ yahoogroups. com]
            >
            On Behalf Of reuter.rudolf
            > Sent: Tuesday, March 03, 2009 8:05 AM
            >
            To: nslu2-linux@ yahoogroups. com
            >
            Subject: [nslu2-linux] NSLU2 web server was attacked by chinese
            >
            computers, use of iptables
            >
            >
            >
            > HowTo block IP
            number ranges from input with iptables.
            > Unfortunately
            kernel-module- ipt-iprange is missing in the slugOS5 feed.
            >
            >
            My NSLU2 web server (moinmoin Python standalone server) was yesterday
            >
            attacked by chinese cmputers (use Reverse DNS), so my web site was no
            >
            longer available to the public. The IP numbers in the access log of
            > the
            web server showed in most cases at "reverse DNS" that they come
            > from
            China. So what to do?
            > Google was my friend and I found under
            href="http://www.okean.">http://www.okean.
            > <
            href="http://www.okean.com">http://www.okean. com> com a list
            >
            (china.txt) of IP number ranges (530) from China. Most of the
            > attackers
            IP numbers could be found in those number ranges. But how to
            > exclude
            them from web server access?
            > A search in the internet recommended the
            use of iptables. Up to now I
            > have seen only to exclude single IP numbers
            from access. Fortunately
            > there is an extension to iptables available
            "iprange" (kernel-module) .
            > What has to be installed:
            > ipkg
            install iptables
            > ipkg install iptables-utils
            > ipkg install
            iptables-doc
            > ipkg install kernel-module- ip-tables
            > ipkg
            install kernel-module- ipt-iprange # fehlt in SlugOS5
            > depmode
            -a
            > modprobe ip_tables
            > modprobe ipt-iprange
            > Test:
            >
            root@LKG95AC9E: ~$ lsmod
            > Module Size Used by
            > ipt_iprange 832
            529
            > iptable_filter 1472 1
            > ip_tables 9832 1
            iptable_filter
            > x_tables 8548 2 ipt_iprange, ip_tables
            >
            > How to define ranges in iptables, example:
            > iptables -A INPUT -m
            iprange --src-range 58.14.0.0-58. 25.255.255 -j DROP
            >
            > You
            can imagin, that it is not very convenient to type 530 lines like
            > the
            above. So I wrote a little Python script to do the work:
            > #!/usr/bin/env
            python
            > # use: script to setup iptables with blacklist iprange
            > #
            2009-03-02 iptables_blacklist. py, RR
            >
            > blacklist =
            "china_blacklist. txt"
            > blacklist_sh =
            "china_blacklist. sh"
            >
            > sline = ""
            > sline2 =
            ""
            > sline3 = ""
            >
            > try:
            > fbl = file(blacklist,
            'r')
            > fbls = file(blacklist_ sh, 'w')
            >
            fbls.write(" #!/bin/sh \n")
            > for sline in fbl:
            > if
            sline.find(" #"): # filter comments
            > sline2 = sline.replace( ' -
            ', '-')
            > sline2 = sline2.replace( ' China', '')
            > sline2 =
            sline2.replace( '\n', '') # remove EOL
            > #print sline2 # append ","
            for no EOL
            > sline3 = "iptables -I INPUT -m iprange --src-range "
            >
            sline3 = sline3 + sline2 + " -j DROP"
            > fbls.write(sline3 + "\n")
            >
            fbl.close()
            > fbls.close()
            > except:
            > print 'File not found:
            ' + blacklist
            >
            > After editing the file iptables_blacklist. py
            either set the execute
            > bits, or call "python
            iptables_blacklist. py".
            > Then either set the execute bits of
            "china_blacklist. sh", or call "sh
            > china_blacklist. sh". Test it
            with:
            > root@LKG95AC9E: ~/iptables$ iptables -L
            > Chain INPUT
            (policy ACCEPT)
            > target prot opt source destination
            > DROP all --
            anywhere anywhere source IP
            > range
            222.240.0.0- 222.249.249. 255
            > ...
            >
            > In order to
            save the iptables settings use "iptables-save
            > >iptables.sav" .
            After that you can restore the parameters with
            > "iptables-restore
            iptables.sav" .
            > What I have not done up to now is to provide a
            startup script in
            > /etc/init.d.
            >
            > I hope it will help
            people who are in the same situation like me.
            > Regards, Rudolf
            >
            > p.s. Unfortunately kernel-module- ipt-iprange is missing in the
            slugOS5
            > feed.
            >

          • Nick W
            There s a internet blocklist available at dnsbl. If you just install rsync you can get it by doing something like:- rsync -az
            Message 5 of 5 , Mar 3 4:28 AM
            • 0 Attachment
              There's a internet blocklist available at dnsbl.  If you just install rsync you can get it by doing something like:-
               
              rsync -az rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-3.uceprotect.net
               
              uceprotect.net make available a very simple file for downloading and applying the blocklist by iptables... but I have to admit that it didn't completely work.. so I've modified it..  I've cut it into three parts... a Generic "lockdown" script to keep the server generally safe (Knockd, ssh, lighty, dns, samba compatible),  A "Blocklist_Get" to download the file and "Blocklist_apply" to   insert all the entries into iptables. It uses /var/tmp as a place to shove the blocklist when it downloads it.
               
              It works on Debian, but the apply stage takes a while. Here are my three files... I run them manually, but I see no reason why they can't be cronned.   (assumes eth0 is the network device pointed to the local domain).
               
              I hope they are of some help to you.
               
              All the best,
               
              Nick
               
               
               
               
              ###################################################
              ############ LOCKDOWN ###############################
              ##### Run this after the Slug starts up to close any doors. ###########
              ####################################################
              #Create the blacklist chain
              iptables -N BLACKLIST
              iptables -F BLACKLIST
              #flush and generate input chain.
              iptables -F INPUT
              #Accept the localhost
              iptables -A INPUT -i lo -j ACCEPT
              #Accept any established connections
              iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
              #Accept any name queries from the local domain
              iptables -A INPUT -i eth0 -p tcp --dport 53 -m iprange --src-range 192.168.1.1-192.168.1
              .254
              iptables -A INPUT -i eth0 -p udp --dport 53 -m iprange --src-range 192.168.1.1-192.168.1
              .254 -j ACCEPT
              #Accept any FTP / SSH from the local domain
              iptables -A INPUT -i eth0 -p tcp --dport 20:22 -m iprange --src-range 192.168.1.50-192.1
              68.1.60 -j ACCEPT
              #Accept any SMB stuff from the local domain
              iptables -A INPUT -i eth0 -p tcp --dport 137:139 -m iprange --src-range 192.168.1.50-192
              .168.1.60 -j ACCEPT
              iptables -A INPUT -i eth0 -p tcp --dport 445 -m iprange --src-range 192.168.1.50-192.168
              .1.60 -j ACCEPT

              #Accept any non-protected port stuff from the local domain
              iptables -A INPUT -i eth0 -p tcp --dport 1024:65535 -m iprange --src-range 192.168.1.50-
              192.168.1.60 -j ACCEPT
               
              #Accept DHCP requests from inside
              # The router denies DHCP requests from outside! handy, eh?
              iptables -A INPUT -i eth0 -p udp -s 0.0.0.0 --dport 68  -j ACCEPT
              #jump all unknown stuff to the blacklist.
              iptables -A INPUT -j BLACKLIST
              #and when returning, it must be okay, so if it's port 80 accept it.
              iptables -A INPUT -p tcp --dport 80 -j ACCEPT
              #the default is to drop it.
              iptables -P INPUT DROP
              ###################################################
               
               
               
               
               
               
               
              #####################################################
              ############ blocklist_get ################################
              ### Run this once a month or so to get the latest blocklist from uceprotect ##
              #####################################################
               
              #!/bin/bash
              IPT=/sbin/iptables
              CHAIN=BLACKLIST
              DEBUG=true
              TMPDIR=/var/tmp
              LOGFILE=/var/log/uce.log
              CMD="rsync -az rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-3.uceprotect.net"
              if [ `ps -ef | grep $0 | grep -v grep | wc -l` -gt 2 ]; then
                  ps -ef | grep $0 | grep -v grep
                  echo i am already running
                  exit 142
              fi
              $IPT -nL | grep $CHAIN >/dev/null || $IPT -N $CHAIN
              cd $TMPDIR
              cp dnsbl-3.uceprotect.net dnsbl-3.uceprotect.net.old
              $CMD $TMPDIR >/dev/null || exit -42

              #############################################################
               
               
               
               
               
               
               
              #####################################################
              ############ blocklist_apply ################################
              ### Run this after lockdown to apply the latest blocklist.. it takes a while :) ##
              #####################################################
               
              #!/bin/bash
              IPT=/sbin/iptables
              CHAIN=BLACKLIST
              DEBUG=false
              TMPDIR=/var/tmp
              LOGFILE=/var/log/uce.log
              DIFFILE=$TMPDIR/dif$$
              for ip in `grep ^[0-9] $TMPDIR/dnsbl-3.uceprotect.net | cut -d" " -f1`; do
                  $DEBUG && echo INIT $ip;
                  `iptables -A $CHAIN -s $ip -j DROP`
              done
              exit
               
              #to monitor the stuff:
              #watch -d -n1 'iptables -vnL blacklist | grep -v " 0 DROP" | sort -n | tail -50'
               
               
               
               
               
               





               

              To: nslu2-linux@yahoogroups.com
              From: reuterru@...
              Date: Tue, 3 Mar 2009 07:04:37 +0000
              Subject: [nslu2-linux] NSLU2 web server was attacked by chinese computers, use of iptables

              HowTo block IP number ranges from input with iptables.
              Unfortunately kernel-module- ipt-iprange is missing in the slugOS5 feed.

              My NSLU2 web server (moinmoin Python standalone server) was yesterday
              attacked by chinese cmputers (use Reverse DNS), so my web site was no
              longer available to the public. The IP numbers in the access log of
              the web server showed in most cases at "reverse DNS" that they come
              from China. So what to do?
              Google was my friend and I found under http://www.okean. com a list
              (china.txt) of IP number ranges (530) from China. Most of the
              attackers IP numbers could be found in those number ranges. But how to
              exclude them from web server access?
              A search in the internet recommended the use of iptables. Up to now I
              have seen only to exclude single IP numbers from access. Fortunately
              there is an extension to iptables available "iprange" (kernel-module) .
              What has to be installed:
              ipkg install iptables
              ipkg install iptables-utils
              ipkg install iptables-doc
              ipkg install kernel-module- ip-tables
              ipkg install kernel-module- ipt-iprange # fehlt in SlugOS5
              depmode -a
              modprobe ip_tables
              modprobe ipt-iprange
              Test:
              root@LKG95AC9E: ~$ lsmod
              Module Size Used by
              ipt_iprange 832 529
              iptable_filter 1472 1
              ip_tables 9832 1 iptable_filter
              x_tables 8548 2 ipt_iprange, ip_tables

              How to define ranges in iptables, example:
              iptables -A INPUT -m iprange --src-range 58.14.0.0-58. 25.255.255 -j DROP

              You can imagin, that it is not very convenient to type 530 lines like
              the above. So I wrote a little Python script to do the work:
              #!/usr/bin/env python
              # use: script to setup iptables with blacklist iprange
              # 2009-03-02 iptables_blacklist. py, RR

              blacklist = "china_blacklist. txt"
              blacklist_sh = "china_blacklist. sh"

              sline = ""
              sline2 = ""
              sline3 = ""

              try:
              fbl = file(blacklist, 'r')
              fbls = file(blacklist_ sh, 'w')
              fbls.write(" #!/bin/sh \n")
              for sline in fbl:
              if sline.find(" #"): # filter comments
              sline2 = sline.replace( ' - ', '-')
              sline2 = sline2.replace( ' China', '')
              sline2 = sline2.replace( '\n', '') # remove EOL
              #print sline2 # append "," for no EOL
              sline3 = "iptables -I INPUT -m iprange --src-range "
              sline3 = sline3 + sline2 + " -j DROP"
              fbls.write(sline3 + "\n")
              fbl.close()
              fbls.close()
              except:
              print 'File not found: ' + blacklist

              After editing the file iptables_blacklist. py either set the execute
              bits, or call "python iptables_blacklist. py".
              Then either set the execute bits of "china_blacklist. sh", or call "sh
              china_blacklist. sh". Test it with:
              root@LKG95AC9E: ~/iptables$ iptables -L
              Chain INPUT (policy ACCEPT)
              target prot opt source destination
              DROP all -- anywhere anywhere source IP
              range 222.240.0.0- 222.249.249. 255
              ...

              In order to save the iptables settings use "iptables-save
              >iptables.sav" . After that you can restore the parameters with
              "iptables-restore iptables.sav" .
              What I have not done up to now is to provide a startup script in
              /etc/init.d.

              I hope it will help people who are in the same situation like me.
              Regards, Rudolf

              p.s. Unfortunately kernel-module- ipt-iprange is missing in the slugOS5
              feed.




              Windows Live Hotmail just got better. Find out more!
            Your message has been successfully submitted and would be delivered to recipients shortly.