Re: auth log full with
On 8/14/22, Matthias Böttcher wrote:
> Am So., 14. Aug. 2022 um 09:51 Uhr schrieb Reco :
>
>> Personally I don't use fail2ban for sshd. Because why bother with
>> userspace (written in python too, yuck) if the kernel does the same job?
>> I.e. block M$ AS, China Telecom AS and maybe add Eastern Europe to the
>> mix, and you've just reduced the number of offending logins by two
>> orders of magnitude.
>
> Hi Reco,
>
> how do I block these ip ranges?
> Which source can I use to determine the geo location of ip addresses?
I'd suggest a white-list approach - ie. allow ssh from <these>
networks instead of playing wack-a-mole, but if you _really_ want to
block by country
1. learn expect
2. figure out how to script this bit:
get a list of ASNs (Autonomous System Number) for that country - eg
https://ipinfo.io/countries/cn
find some route servers that give you telnet access - eg.
https://bgp4.as/looking-glasses
you want the
CATEGORY 2 - IPv4 AND IPv6 BGP ROUTE SERVERS BY REGION (TELNET ACCESS)
table at the end of the page
figure out the correct syntax for showing bgp routes transiting the target ASN
for cisco routers it's "sh ip bgp regexp _ASN#_" so show all routes
transiting that ASN
route-server.he.net seems to be a cisco router, so
$ telnet route-server.he.net
...
route-server> sh ip bgp regexp _4812_
BGP table version is 0, local router ID is 64.62.142.154
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i36.111.0.0/20 64.62.244.62 0 100 0 4134 4134 4812 i
*>i 118.85.205.25 100 0 4134 4812 i
* i 118.85.205.25 100 0 4134 4812 i
* i 216.218.252.178 0 100 0 4134 4134 4812 i
* i 216.218.252.164 0 100 0 4134 4134 4812 i
* i 209.51.191.134 0 100 0 4134 4134 4812 i
* i 209.51.191.134 0 100 0 4134 4134 4812 i
* i 118.85.205.25 100 0 4134 4812 i
* i 209.51.191.134 0 100 0 4134 4134 4812 i
* i 209.51.191.134 0 100 0 4134 4134 4812 i
* i 64.62.244.62 0 100 0 4134 4134 4812 i
* i 64.62.151.102 0 100 0 4134 4134 4812 i
* i 64.62.244.62 0 100 0 4134 4134 4812 i
* i 209.51.191.134 0 100 0 4134 4134 4812 i
* i 209.51.191.134 0 100 0 4134 4134 4812 i
* i 216.218.252.169 0 100 0 4134 4134 4812 i
* i36.255.128.0/22 118.85.205.25 100 0 4134 4812 63570 i
* i 118.85.205.25 100 0 4134 4812 63570 i
*>i 118.85.205.25 100 0 4134 4812 63570 i
* i40.0.176.0/21 62.115.181.197 48 70 0 1299 4134
4812 4249 i
* i 62.115.14.5 48 70 0 1299 4134
4812 4249 i
And don't forget to block ipv6, so
route-server> sh bgp ipv6 regexp _4812_
BGP table version is 0, local router ID is 64.62.142.154
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i2400:6600::/32 2a04:f580:8210:100::9
0 100 0 4134 4812 9812 i
* i 2001:470:0:38e::2
0 100 0 4134 4812 9812 i
* i 2001:470:0:38e::2
0 100 0 4134 4812 9812 i
* i 2001:470:0:5f::2
0 100 0 4134 4812 9812 i
* i 2001:470:0:1a::1
0 100 0 4134 4812 9812 i
* i 2001:470:0:5f::2
0 100 0 4134 4812 9812 i
* i 2001:470:0:5f::2
0 100 0 4134 4812 9812 i
Regards,
Lee
Reply to: