Best way to automatically block (add/delete) IP/CIDR ranges?

[dosborne]

On a couple of linux servers here I block large lists of IP/CIDR ranges via iptables using scripts to add and delete them as needed.

Way back, I had a script that would parse my logs looking for various "offenses" and based on the severity (based purely on what I had coded) would either add the offender to a temporary list that would be blocked for 24 hours or to a permanent list. Repeat offenders in the temporary list would also be added to the permanent list. To speed up the actual blocking, I also had a threshold to start with a single IP, then if 4 addresses in that range where banned I'd simply block the whole range and keep increasing the mask as more and more offenders were captured. The script and database would build the iptables rules. I also had some release conditions so as to not overload the block list. I rand this for about 4 years. For my purposes, this worked extremely well and was easy to implement on Linux.

Unfortunately, I don't think I bothered to keep any of the code though. Presenting the "idea" rather than a solution

 

[kernol]

Good thing I wasn’t judged based on my first 10 posts on this forum. This crowd can be snobby when it chooses to be. So let’s not.

Was that an explicit request to take it down? You’re really out to get him, it seems. Be sure to check out the occasional skin photos on his main site. Maybe you’ll change your mind.

@dave14305 - here's a refresh on your first 10+ posts on this forum way back in 2018 ... they were all constructive - no surprise that you currently have over 6,343 posts - but way more importantly 10,362 "Likes" - proper proof of your HUGE and fully appreciated contributions.

I am not "out to get him" - or anyone for that matter - as a septuagenarian ... I learnt a long time ago that "life is too short to stuff a mushroom".

I am concerned about links to "unknown" sites embedded in emails and/or forum posts ... they are often deployed to compromise systems [ransomware or other malware]. I'm sure many other members share such concerns. I am a passive member of AlienVault and use their resources to check sites - and the OP's came up with a number of "cautionaries" - a specific URL on his domain which was subsequently taken down; two security vendors flagging his IP as malicious; etc see screen grab ...

It was for that reason that I suggested the OP take a look at his own IP in his quest to block whole chunks of IP addresses. The OP ran a port scan in response and invited me to do the same ... while at the same issuing a "threat" ...

@kernol thank you for your answer concerning skynet and i will take a look at it.

Concerning your second message...

1. it is always best to run your own security checks i.e.,
.....
Note: we run offsite logging of all machines/infrastructure including all ip denys here so I would ask "you" to first think long and hard.

I saw no point in responding to his reply - which he now faults me for not doing.
I also have no wish to debate this further - the Captain of this ship and his First Mate have clearly endorsed the OP and so I will butt out ... and retain my personal quest to be helpful before hurtful [890+ posts 1,160+ likes].

 

[JGrana]

Thanks @kernol , I and many do appreciate your help - as well as the help of many others on this. forum. As one that is just a few short years away from being a septuagenarian, time has at least taught me to be more reflective.

Let’s move on!

@lightaffaire , if you do come up with a script that implements RMerlins advice, please do post. The beauty of Open Source.

BTW @lightaffaire , tough crowd here at times. Thanks for sticking it out ;-)
You think this crowd is tough though? Go hang with Linus and the small cadre of Linux kernel devs…I still have scars on my back from years ago ;-)

 

[Huib]

On a couple of linux servers here I block large lists of IP/CIDR ranges via iptables using scripts to add and delete them as needed.

At one site I now have a GT-AX11000 running 386.5beta1 and would like to know the following:

1. the best way to bulk block IP ranges on an asuswrt-merlin system via a script?

I've been using Yet another malware block for quite awhile and works well for me on an AC68

 

[RMerlin]

Way back, I had a script that would parse my logs looking for various "offenses" and based on the severity (based purely on what I had coded) would either add the offender to a temporary list that would be blocked for 24 hours or to a permanent list. Repeat offenders in the temporary list would also be added to the permanent list. To speed up the actual blocking, I also had a threshold to start with a single IP, then if 4 addresses in that range where banned I'd simply block the whole range and keep increasing the mask as more and more offenders were captured. The script and database would build the iptables rules. I also had some release conditions so as to not overload the block list. I rand this for about 4 years. For my purposes, this worked extremely well and was easy to implement on Linux.

Unfortunately, I don't think I bothered to keep any of the code though. Presenting the "idea" rather than a solution

I use CSF/LFD for that on various servers.

 

[lightaffaire]

I use CSF/LFD for that on various servers.

I just took a look at their homepage. Interesting.

Been using fail2ban python package to block brute force attacks. Did you by any chance do a LFD vs. fail2ban comparision?

 

[RMerlin]

I just took a look at their homepage. Interesting.

Been using fail2ban python package to block brute force attacks. Did you by any chance do a LFD vs. fail2ban comparision?

No. I know about fail2ban because it's very well known but I never used it personally. I have been using CSF/LFD since both Shorewall and another firewall script I can't recall the name went EOL. One of the reasons being it integrates directly into cPanel (which I run on one business server). I liked it enough when I installed it there to also start using it on my other servers as well. I like that it's highly configurable, all through one single config file, and you can decide how tight or loose you want things to be set. LFD is entirely optional, and if you use it you can easily decide what to monitor and what to ignore.

 

[Martinski]

You think this crowd is tough though? Go hang with Linus and the small cadre of Linux kernel devs…I still have scars on my back from years ago ;-)

That is a very tough crowd indeed! Then again, the level of knowledge and expertise WRT Linux OS, software development practices & methodologies, and kernel architecture that is required to hang around those guys is much higher than on your average user forum.

Most senior software developers who are very good at their job, and that I've known and worked with over the years, tend to be very rigorous & meticulous about their work, have very strong ideas/opinions on how things should be done, and often expect the same from others. These expectations sometimes cross the line into the fastidious, even pedantic side.

Being a s/w developer myself, I understand where they're coming from and have sometimes in the past put that kind of demands on others. As I've grown older (and arguably "wiser"), I've slowly learned not to expect that kind of "s/w developer mindset" from others, while still remaining methodical & meticulous about my own work.

My own Lesson Learned: participating in user forums often requires one to grow a thick skin and ignore trolls, rude, mean, and unhappy posters; but give the benefit of the doubt whenever possible. At the same time, try to remain helpful and non-accusatory in your own posts.

 

[thiggins]

The OT "Like" discussion has been moved.

You really like me!

my personal quest to be helpful before hurtful [890+ posts 1,160+ likes] You are using wrong likes assessment method. Here is why: a) Let's find potential bad guys in this thread first, based on posts/likes ratio: @sfx2000 - 14823/3160 @thiggins - 15489/4256 b) Most "likes" on this forum...

www.snbforums.com

 

[thiggins]

My own Lesson Learned: participating in user forums often requires one to grow a thick skin and ignore trolls, rude, mean, and unhappy posters; but give the benefit of the doubt whenever possible. At the same time, try to remain helpful and non-accusatory in your own posts.

Words to live by. Amen.