Menu
What's new
By:
Filters Better Search

Best way to automatically block (add/delete) IP/CIDR ranges?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

lightaffaire

lightaffaire

Occasional Visitor
On a couple of linux servers here I block large lists of IP/CIDR ranges via iptables using scripts to add and delete them as needed.

At one site I now have a GT-AX11000 running 386.5beta1 and would like to know the following:

1. the best way to bulk block IP ranges on an asuswrt-merlin system via a script?

2. preferably callable via ssh into the router?

3. has anyone calculated the max. number of allowed IP entries a GT-AX11000/RT-AX88U can handle or is actually running asuswrt-merlin with 1000's or 10000's of blocked ranges and if so any gotcha's to be aware of?

Once I have enough info I will look at updating the following script to handle iptables. It automatically generates an .htaccess file to deny spiders/clouds/hosters/actors based on a curated list of AS numbers. Check out the web deny report link to see what it is denying on daily basis:


I appreciate any and all constructive feedback,

Iain
 
Last edited:
Have you had a look at Skynet ??
 
@kernol thank you for your answer concerning skynet and i will take a look at it.

Concerning your second message...

1. it is always best to run your own security checks i.e.,

$ nmap lightaffaire.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-28 08:30 CET
Nmap scan report for lightaffaire.com (87.138.139.76)
Host is up (0.0011s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
443/tcp open https
995/tcp open pop3s

RDP? X11? nope don't see them in that list.

Obviously someone here is going to jump on the "why is port 80 open?" a simple web redirect/rewrite rule to port 443.

Note: we run offsite logging of all machines/infrastructure including all ip denys here so I would ask "you" to first think long and hard.


2. Malware? if someone harvests your Email address and uses it in a bulk mail spamming of whatever then you end up on lists... thats the internet we live in today. Do more research on your own and you will see which addresses are being misused and were blocked here long ago.


3. Why do i send links? because I have something to offer that others may or may not find useful... give and take... but that seems to be a dying art.
 
Last edited:
kernol said:
I am intrigued by your propensity to offer links in your posts - ostensibly to offer newly proposed solutions of your own.
Click to expand...
And what is wrong with that? Every "solution" here was new at some point.
 
thiggins said:
And what is wrong with that? Every "solution" here was new at some point.
Click to expand...

Tim - you be the Captain ... but I believe I used the word "intrigued" and did not say or imply that it was "wrong"!

I am now intrigued by your quick defence of a newcomer whose offerings so far have added very little value - while expressing your displeasure at long-standing members with thousands of helpful posts that have supported the expansion of your forum.

thiggins said:
@lightaffaire Welcome to SNBForums.

This is, indeed, a tough crowd, tougher than I prefer to see.
Some of the "furniture" hold strong opinions and are not shy about stating them, over and over in many cases.
Click to expand...

BTW - @lightaffaire has yet to take down the unauthorised mirror site despite the Maestro's request!
 
kernol said:
I am now intrigued by your quick defence of a newcomer whose offerings so far have added very little value - while expressing your displeasure at long-standing members with thousands of helpful posts that have supported the expansion of your forum.
Click to expand...
Good thing I wasn’t judged based on my first 10 posts on this forum. This crowd can be snobby when it chooses to be. So let’s not.
kernol said:
BTW - @lightaffaire has yet to take down the unauthorised mirror site despite the Maestro's request!
Click to expand...
Was that an explicit request to take it down? You’re really out to get him, it seems. Be sure to check out the occasional skin photos on his main site. Maybe you’ll change your mind.
 
dave14305 said:
Be sure to check out the occasional skin photos on his main site. Maybe you’ll change your mind.
Click to expand...

I can't get there from here... I've been blocked by clever means. Asuswrt-Merlin's new mirror team is selective. So, not likely to change my mind.

OE
 
@kernol your full sentence was: "I am intrigued by your propensity to offer links in your posts - ostensibly to offer newly proposed solutions of your own."

That is more than "intrigued" once the full context is shown as above. You then felt the need to supply 3 url's with respect to the IP of my site which i explicity answered in detail above. You should reply to the answers I provided you... which are correct and valid. Do not ignore valid answers. No wiggle room allowed. Simply admit you did not do due diligence on the answers google provided.

With respect to your comment "a newcomer whose offerings so far have added very little value": some people find them useful, some don't. They are provided as-is. Whether you like or dislike any tools/ideas/tips I provide is upto you. Just be so kind as to double check any info before acusing me of anything in future... it makes one of us look anything but professional.

@OzarkEdge blocked? if you received a 403 web deny from my site then your IP is inside one of the ~500 ASN's we block due to security. If you want to send me your ISP/IP info per private message here I can run a check and tell you why you received a 403... if not that is also ok.
 
Last edited:
kernol said:
I am now intrigued by your quick defence of a newcomer whose offerings so far have added very little value - while expressing your displeasure at long-standing members with thousands of helpful posts that have supported the expansion of your forum.
Click to expand...
Helpful is relative. A lot depends on the reader's experience level. As long as the site terms are followed, users are free to post.
 
lightaffaire said:
@OzarkEdge blocked? if you received a 403 web deny from my site then your IP is inside one of the ~500 ASN's we block due to security. If you want to send me your ISP/IP info per private message here I can run a check and tell you why you received a 403... if not that is also ok.
Click to expand...

Thanks for the offer... I'll pass since I don't use Asuswrt-Merlin.

For reference, here are the blocks I encountered when attempting your links... my ISP is a mainstream US cable Internet service provider:

4031.jpg

4032.jpg


OE
 
@OzarkEdge you don't use asus-merlin but are in the asus-merlin group? ermm.

I checked our logs here. Your IP looks to be inside the ASN: AS20115 Charter Communications

2022-03-01 01:02:26 47.233.25.160 AS20115 Charter Comm... GET /<redacted> HTTP/2.0 403

47.233.25.160 US, Missouri, 65265 Mexico
047-233-025-160.res.spectrum.com
asn+org: AS20115 Charter Communications
inetnum: 47.224.0.0/13
netname: CC04

But the CIDR block 47.224.0.0/11 is allocated to or is behind "AS45102 Alibaba Cloud" a chinese cloud provider that we do block.

I will look into adding an exception rule for the /13 network block. Check back tommorow.
 
lightaffaire said:
@OzarkEdge you don't use asus-merlin but are in the asus-merlin group? ermm.
Click to expand...

I try to help wherever I can. Funny you pointing out boundaries. :)

lightaffaire said:
But the CIDR block 47.224.0.0/11 is allocated to or is behind "AS45102 Alibaba Cloud" a chinese cloud provider that we do block.
Click to expand...

I have no idea about a Chinese provider at the edge of the Ozarks. I use the term 'edge' loosely, but your filter scheme may be too aggressive.

OE
 
kernol said:
BTW - @lightaffaire has yet to take down the unauthorised mirror site despite the Maestro's request!
Click to expand...
I did not request a takedown, only that I do not want to endorse it as an official mirror. I do not forbid redistribution of my files, and I don't mind as long people aren`t being nefarious, i.e. they aren't modifying them, or claiming ownership of their content. Softpedia for instance has been redistributing Asuswrt-Merlin for years (and I briefly listed them as a mirror back when I was still using Mediafire).
 
lightaffaire said:
. the best way to bulk block IP ranges on an asuswrt-merlin system via a script?
Click to expand...
Create an iptable rules that drops all content of an ipset, then dynamically update that ipset with your blocked IPs.

You'll have to check the ipset documentation, I don't remember the maximum number of supported entries.
 
lightaffaire said:
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
443/tcp open https
995/tcp open pop3s
Click to expand...

there's no real need to keep popper and sendmail open, esp when their not secure (even though tcp_wrapper is in play).

some folks might also mention 22/tcp, but as long are you're running certs there and disabling passwords, you should be fine, just a lot of folks rattling the doorknob...
 
sfx2000 said:
there's no real need to keep popper and sendmail open, esp when their not secure (even though tcp_wrapper is in play).

some folks might also mention 22/tcp, but as long are you're running certs there and disabling passwords, you should be fine, just a lot of folks rattling the doorknob...
Click to expand...

Well to be honest I really would like to keep receiving my email ;-)
 
lightaffaire said:
Well to be honest I really would like to keep receiving my email ;-)
Click to expand...

Yeah, but popper is very not secure, using user/pass (I am one of the former devs for Qualcomm's qpopper), so turn that port off if you can...

Same with Sendmail - use 465 or 587 for SSL/TLS peer auth. There you can consider SPF/DKIM, as all senders should be doing this to reduce the amount of spam in the world.
 
@
sfx2000 said:
Yeah, but popper is very not secure, using user/pass (I am one of the former devs for Qualcomm's qpopper), so turn that port off if you can...

Same with Sendmail - use 465 or 587 for SSL/TLS peer auth. There you can consider SPF/DKIM, as all senders should be doing this to reduce the amount of spam in the world.
Click to expand...

dovecot with STARTTLS certs are ok for my present needs.

Not everyone I correspond with has setup SMTPS so port 25 is still required.
 
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
sthornington Latest (Oct 2024) "best" recommended router for Merlin? Asuswrt-Merlin 19
B AiMesh nodes - best practices / scripts / etc Asuswrt-Merlin 2
F Best 5ghz Guest Wifi Asuswrt-Merlin 5
raion969 Asus RT-AC5300 best Wireless Settings Asuswrt-Merlin 6
M Best router for wireguard or openVPN Asuswrt-Merlin 1
J Best setup for a wifi extender Asuswrt-Merlin 19
M Best Asus router for openVPN Asuswrt-Merlin 3
grizfan Best practices for firmware updates? Asuswrt-Merlin 5
Vince Edwards Asus router not reconnecting automatically after connection outage. Asuswrt-Merlin 9
D File Copied to JFFS Partition Gets Deleted Automatically Asuswrt-Merlin 5

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 823 (members: 11, guests: 812)
Top