Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible to block ip range "attack"?

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 3 Posters 679 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      houseofdreams
      last edited by

      Hi, I sometimes see a scan on our mailserver from a range of IP's from the same subnet.

      X.X.X.1
      X.X.X.2
      X.X.X.3
      ....

      I currently have pfblocker installed and also a geoip block for some countries (also top spammers and so on, but it can't catch them all of course.

      Is there some way to detect this kind of behaviour and block that subnet?

      Thanks!

      NogBadTheBadN 1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad @houseofdreams
        last edited by

        @houseofdreams You could install Snort or Suricata.

        Both if set correctly will block port scans.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        H 1 Reply Last reply Reply Quote 0
        • H
          houseofdreams @NogBadTheBad
          last edited by

          @nogbadthebad said in Possible to block ip range "attack"?:

          @houseofdreams You could install Snort or Suricata.

          Both if set correctly will block port scans.

          I understood that these packages can indeed detect port scans, but isn't it only if one and the same IP continues to scan different ports on our system?

          Like
          X.X.X.1:80
          X.X.X.1:81
          X.X.X.1:82
          ...

          GertjanG NogBadTheBadN 2 Replies Last reply Reply Quote 0
          • GertjanG
            Gertjan @houseofdreams
            last edited by

            @houseofdreams said in Possible to block ip range "attack"?:

            but isn't it only if one and the same IP continues to scan different ports on our system?

            So, again :

            @nogbadthebad said in Possible to block ip range "attack"?:

            Both if set correctly will block port scans.

            Which means to me :
            If a.b.c.d does something suspect, a.b.c.0/24 will get blocked.
            You could even try a.b.0.0/16 or - why not a.0.0.0/8 ;)

            But forget about the IPv4 naggers.
            IPv6 woke up some time ago.

            Btw : look at world's most know tool that does just this : blocking IPs : fail2ban.

            10 k in the firewall and rising.

            Keep in mind : I block IP's for a 3 day or a week. When they come back, they get a place in the "recedive" list : for life.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            H 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @houseofdreams
              last edited by

              @houseofdreams said in Possible to block ip range "attack"?:

              ns, but isn't it only if one and the same IP continue

              I took your first post as you were getting port scans from the IP addresses and different ports.

              You might be able to use the following in pfBlocker:-

              https://doc.emergingthreats.net/bin/view/Main/CompromisedHost

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • H
                houseofdreams @Gertjan
                last edited by

                @gertjan said in Possible to block ip range "attack"?:

                @houseofdreams said in Possible to block ip range "attack"?:

                but isn't it only if one and the same IP continues to scan different ports on our system?

                So, again :

                @nogbadthebad said in Possible to block ip range "attack"?:

                Both if set correctly will block port scans.

                Which means to me :
                If a.b.c.d does something suspect, a.b.c.0/24 will get blocked.
                You could even try a.b.0.0/16 or - why not a.0.0.0/8 ;)

                But forget about the IPv4 naggers.
                IPv6 woke up some time ago.

                Btw : look at world's most know tool that does just this : blocking IPs : fail2ban.

                10 k in the firewall and rising.

                Keep in mind : I block IP's for a 3 day or a week. When they come back, they get a place in the "recedive" list : for life.

                A snippet from our mailservers log:

                [04/May/2021 00:59:01] Client with IP address 170.130.237.5 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 01:19:06] Client with IP address 170.130.237.8 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 01:23:26] Client with IP address 170.130.237.7 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 01:31:35] Client with IP address 170.130.237.9 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 01:34:37] Client with IP address 170.130.237.10 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 01:54:02] Client with IP address 170.130.237.12 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 02:05:53] Client with IP address 170.130.237.14 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 02:09:31] Client with IP address 170.130.237.11 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 02:10:07] Client with IP address 170.130.237.11 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 02:12:57] Client with IP address 170.130.237.6 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 02:13:46] Client with IP address 170.130.237.13 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 02:25:15] Client with IP address 170.130.237.17 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 02:30:18] Client with IP address 170.130.237.16 has no reverse DNS entry, connection rejected before SMTP greeting
                [04/May/2021 02:30:39] Client with IP address 170.130.237.15 has no reverse DNS entry, connection rejected before SMTP greeting

                I allready have fail2ban enabled on this server, but for this kind of scanning, fail2ban is useless.

                NogBadTheBadN GertjanG 2 Replies Last reply Reply Quote 0
                • NogBadTheBadN
                  NogBadTheBad @houseofdreams
                  last edited by

                  @houseofdreams said in Possible to block ip range "attack"?:

                  170.130.237.5

                  You could block by ASN number.

                  AS details for 170.130.237.5 :-

                  route: 170.130.0.0/16
                  descr: Spectrum Proxy Registration
                  origin: AS30693
                  mnt-by: MAINT-AS11404
                  changed: bguzman@wavebroadband.com 20160127 #22:22:49Z
                  source: RADB

                  route: 170.130.0.0/16
                  descr: ServerHub
                  origin: AS11403
                  mnt-by: MAINT-AS11403
                  changed: inter-eng@nyi.net 20160815 #01:28:33Z
                  source: RADB

                  route: 170.130.0.0/16
                  descr: ServerHub
                  origin: AS62904
                  mnt-by: MAINT-AS32748
                  changed: admin@steadfast.net 20151209
                  source: ALTDB

                  route: 170.130.0.0/16
                  descr: SH-9
                  origin: AS30693
                  mnt-by: MNT-EONIX
                  changed: arin@hipaas.net 20150616
                  source: ARIN

                  Tuesday, 4 May 2021 at 10:51:55 British Summer Time

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @houseofdreams
                    last edited by

                    @houseofdreams said in Possible to block ip range "attack"?:

                    but for this kind of scanning, fail2ban is useless

                    ?

                    Basic rule : this is not 'Microsoft'. You are the limiting factor, not the tools.
                    You make (setup) the tools/rules/laws.

                    Example :

                    root@ns311465:/etc/fail2ban/filter.d# grep 'has no reverse' *
                    grep: ignorecommands: Is a directory
                    kerio.conf:            ^ Client with IP address <HOST> has no reverse DNS entry, connection rejected before SMTP greeting$
                    

                    This means that a pre build config called "kerio.conf" already contains a rule that would block such hosts.
                    I don't know what "kerio" is (it's probably a mail server) - I am a postfix user myself.
                    You could use that kerio.conf 'as is' or adapt it to your needs.

                    Btw : sure : hosts with an IP that do not have a valid DNS (that point back to that IP) should have only 1 try. And blocked right away.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.