[asterisk-users] Numbers hackers call

Stefan Gofferje lists at home.gofferje.net
Thu Mar 27 15:26:30 CDT 2014 

On 03/27/2014 08:36 PM, Eric Wieling wrote:
> I have an iptables file which blocks all traffic except traffic from networks allocated by ARIN or are Legacy networks.   I pulled the information from http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml  
> 
> My iptables script can be found at the link below. 
> 
> http://help.nyigc.net/tmp/iptables_geoblock
> 	
> It might be helpful to someone.

Below's my solution. I specifically block China, Korea and Palestine.
That already massively reduced my amount of attacks. I can't block as
much as you because I do allow unregistered inbound SIP calls to
sip:stefan at home.mylastname.net. CN, KR and PS are currently the only
attack origins from where I wouldn't expect legit inbound traffic.

Here's my script (pulls data from ipdeny.com). The script is called in
my primary IPTABLES script after flushing and before my specific ruleset.
And it runs on my perimeter firewall.

WARNING: That's about 5000 networks to stuff into the tables! My fw is a
Phenom 8650 3-core machine and it takes about 8.5 minutes to stuff all
the rules into the kernel!

#!/bin/bash

IPTABLES="/sbin/iptables"
ANY="0.0.0.0/0"
BLOCKDIR="blocklist.d"

if ! test -d ${BLOCKDIR}; then
  mkdir ${BLOCKDIR}
fi

DATE=$(date)

echo "Country blocking rules..."
echo "Downloading rules..."

curl -s http://www.ipdeny.com/ipblocks/data/countries/cn.zone -o
${BLOCKDIR}/cn.zone || echo "Warning: Couldn't download CN zone"
curl -s http://www.ipdeny.com/ipblocks/data/countries/kr.zone -o
${BLOCKDIR}/kr.zone || echo "Warning: Couldn't download KR zone"
curl -s http://www.ipdeny.com/ipblocks/data/countries/ps.zone -o
${BLOCKDIR}/ps.zone || echo "Warning: Couldn't download PS zone"

echo "Done downloading. Setting rules..."

for FILE in ${BLOCKDIR}/*zone; do
    for ADDRESS in $(cat ${FILE}); do
        echo "Blocking network: ${ADDRESS}..."
        $IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j DROP
        $IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j LOG --log-prefix
"Packet log: COUNTRY DROP "
        $IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j DROP
        $IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j LOG --log-prefix
"Packet log: COUNTRY DROP "
    done
done

echo "Done. Started: ${DATE}, finished: $(date)"


-- 
 (o_   Stefan Gofferje            | SCLT, MCP, CCSA
 //\   Reg'd Linux User #247167   | VCP #2263
 V_/_  Heckler & Koch - the original point and click interface


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4079 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140327/1b6c7bad/attachment.bin>

More information about the asterisk-users mailing list