Possible to block ip range "attack"?
-
Hi, I sometimes see a scan on our mailserver from a range of IP's from the same subnet.
X.X.X.1
X.X.X.2
X.X.X.3
....I currently have pfblocker installed and also a geoip block for some countries (also top spammers and so on, but it can't catch them all of course.
Is there some way to detect this kind of behaviour and block that subnet?
Thanks!
-
@houseofdreams You could install Snort or Suricata.
Both if set correctly will block port scans.
-
@nogbadthebad said in Possible to block ip range "attack"?:
@houseofdreams You could install Snort or Suricata.
Both if set correctly will block port scans.
I understood that these packages can indeed detect port scans, but isn't it only if one and the same IP continues to scan different ports on our system?
Like
X.X.X.1:80
X.X.X.1:81
X.X.X.1:82
... -
@houseofdreams said in Possible to block ip range "attack"?:
but isn't it only if one and the same IP continues to scan different ports on our system?
So, again :
@nogbadthebad said in Possible to block ip range "attack"?:
Both if set correctly will block port scans.
Which means to me :
If a.b.c.d does something suspect, a.b.c.0/24 will get blocked.
You could even try a.b.0.0/16 or - why not a.0.0.0/8 ;)But forget about the IPv4 naggers.
IPv6 woke up some time ago.Btw : look at world's most know tool that does just this : blocking IPs : fail2ban.
10 k in the firewall and rising.
Keep in mind : I block IP's for a 3 day or a week. When they come back, they get a place in the "recedive" list : for life.
-
@houseofdreams said in Possible to block ip range "attack"?:
ns, but isn't it only if one and the same IP continue
I took your first post as you were getting port scans from the IP addresses and different ports.
You might be able to use the following in pfBlocker:-
https://doc.emergingthreats.net/bin/view/Main/CompromisedHost
-
@gertjan said in Possible to block ip range "attack"?:
@houseofdreams said in Possible to block ip range "attack"?:
but isn't it only if one and the same IP continues to scan different ports on our system?
So, again :
@nogbadthebad said in Possible to block ip range "attack"?:
Both if set correctly will block port scans.
Which means to me :
If a.b.c.d does something suspect, a.b.c.0/24 will get blocked.
You could even try a.b.0.0/16 or - why not a.0.0.0/8 ;)But forget about the IPv4 naggers.
IPv6 woke up some time ago.Btw : look at world's most know tool that does just this : blocking IPs : fail2ban.
10 k in the firewall and rising.
Keep in mind : I block IP's for a 3 day or a week. When they come back, they get a place in the "recedive" list : for life.
A snippet from our mailservers log:
[04/May/2021 00:59:01] Client with IP address 170.130.237.5 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 01:19:06] Client with IP address 170.130.237.8 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 01:23:26] Client with IP address 170.130.237.7 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 01:31:35] Client with IP address 170.130.237.9 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 01:34:37] Client with IP address 170.130.237.10 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 01:54:02] Client with IP address 170.130.237.12 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 02:05:53] Client with IP address 170.130.237.14 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 02:09:31] Client with IP address 170.130.237.11 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 02:10:07] Client with IP address 170.130.237.11 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 02:12:57] Client with IP address 170.130.237.6 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 02:13:46] Client with IP address 170.130.237.13 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 02:25:15] Client with IP address 170.130.237.17 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 02:30:18] Client with IP address 170.130.237.16 has no reverse DNS entry, connection rejected before SMTP greeting
[04/May/2021 02:30:39] Client with IP address 170.130.237.15 has no reverse DNS entry, connection rejected before SMTP greetingI allready have fail2ban enabled on this server, but for this kind of scanning, fail2ban is useless.
-
@houseofdreams said in Possible to block ip range "attack"?:
170.130.237.5
You could block by ASN number.
AS details for 170.130.237.5 :-
route: 170.130.0.0/16
descr: Spectrum Proxy Registration
origin: AS30693
mnt-by: MAINT-AS11404
changed: bguzman@wavebroadband.com 20160127 #22:22:49Z
source: RADBroute: 170.130.0.0/16
descr: ServerHub
origin: AS11403
mnt-by: MAINT-AS11403
changed: inter-eng@nyi.net 20160815 #01:28:33Z
source: RADBroute: 170.130.0.0/16
descr: ServerHub
origin: AS62904
mnt-by: MAINT-AS32748
changed: admin@steadfast.net 20151209
source: ALTDBroute: 170.130.0.0/16
descr: SH-9
origin: AS30693
mnt-by: MNT-EONIX
changed: arin@hipaas.net 20150616
source: ARINTuesday, 4 May 2021 at 10:51:55 British Summer Time
-
@houseofdreams said in Possible to block ip range "attack"?:
but for this kind of scanning, fail2ban is useless
?
Basic rule : this is not 'Microsoft'. You are the limiting factor, not the tools.
You make (setup) the tools/rules/laws.Example :
root@ns311465:/etc/fail2ban/filter.d# grep 'has no reverse' * grep: ignorecommands: Is a directory kerio.conf: ^ Client with IP address <HOST> has no reverse DNS entry, connection rejected before SMTP greeting$This means that a pre build config called "kerio.conf" already contains a rule that would block such hosts.
I don't know what "kerio" is (it's probably a mail server) - I am a postfix user myself.
You could use that kerio.conf 'as is' or adapt it to your needs.Btw : sure : hosts with an IP that do not have a valid DNS (that point back to that IP) should have only 1 try. And blocked right away.
