Cookies and cream
My ban log show a crawler has made 849 pages of 50 attempts to log on since Sept 15. The IP is 77.88.29.248.
Is the any way to stop this site short of catching a plane to Kiev UK and shooting the computer?
Before the 15th I sent the site an email asking to stop and they answered that I should do something on my end.
Well I already had. I put them on permanent ban.
TIA
Dave
"Let us run the risk of wearing out rather than rusting out." __Theodore Roosevelt
Quad Shot of Ubuntu
Reconfigure your SSH to work on a higher port like 2200. Brute force bots typically only try port 22.
-Chayak
Tea Glorious Tea!
Add a block rule in IPTABLES for the IP address. You might also block the whole IP range. Have iptables quietly drop all packets from that address.
Here is one I used to use in my script for block the IP address ranges for the US military.
DOD_NET="214.0.0.0/8 \
215.0.0.0/8"
for NET in $DOD_NET; do
$IPT -A blocked -p tcp -j REJECT --reject-with tcp-reset
done
You may not want to reject with tcp-reset, because I think this send a packet back, but then the other end has to deal with it.
I block entire class 1, 2, and 3 IP ranges especially from eastern Europe and Asia. I consider it OK for me to contact them, but not the other way around with my current config.
Ubuntu Member
lensman3 has the right idea with IP Tables.
Also try looking up the IP number using 'whois'.
If the contact information is different than the address you have already contacted, then let them know what is going on. The ISPs have an obligation to deal with crackers.
Ubuntu addict and loving it
Yeah right. Good luck with that, especially outside of the EU or USA.Originally Posted by Lars Noodén
Cookies and cream
I did and did.
I got a reply that it was their crawler and I should do something on my end to prevent it if I didn't like it.
returnsCode:whois 77.88.29.248
role: Yandex LLC Network Operations
address: Yandex LLC
address: 1 bld. 21 Samokatnaya St.
address: 111033
address: Moscow
address: Russian Federation
phone: +7 495 739 7000
fax-no: +7 495 739 7070
remarks: trouble: ------------------------------------------------------
remarks: trouble: Points of contact for Yandex LLC Network Operations
remarks: trouble: ------------------------------------------------------
remarks: trouble: Routing and peering issues: noc@yandex.net
remarks: trouble: SPAM issues: abuse@yandex.ru
remarks: trouble: Network security issues: abuse@yandex.ru
remarks: trouble: Mail issues: postmaster@yandex.ru
remarks: trouble: General information: info@yandex.ru
remarks: trouble: ------------------------------------------------------
admin-c: VLI1-RIPE
admin-c: TVB11-RIPE
tech-c: VLI1-RIPE
nic-hdl: YNDX1-RIPE
mnt-by: YANDEX-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@yandex.ru
"Let us run the risk of wearing out rather than rusting out." __Theodore Roosevelt
Iced Blended Vanilla Crème Ubuntu
Moving SSH to another port should work. I've done it on 2 Hardy machines, though it failed in Jaunty.
If you want instructions I'll see can I find my notes and either send them to you or post them.
Ubuntu addict and loving it
Instructions? Like edit /etc/ssh/sshd_config and modify the "Listen" port or add another one?
That's not really efficient IMHO. First of all I wouldn't do it on the Linux system's SSH configuration but rather I'd change the port-forwarding on the exterior router (this is assuming there is one ... ) so that at least internally inside the LAN the SSH daemon can continue to run port 22.
Second, and that's IMHO far more efficient ... Why not ban the entire IP range and be done with it? If you have no business with those parts of the world then their IP ranges have no business being able to reach your system. At all. Ever. So ... lock them out.
You may want to read the manual on this:
As per manual, you'd edit this file:Code:man 5 hosts_access
Go to the bottom of the file and add their DNS name and their IP ranges -- according to the "whois" entry this would be:Code:gksudo gedit /etc/hosts.deny
This should prevent any connection attempts that originates from their networks.Code:ALL: 77.88.0.0/18 ALL: .yandex.ru
EDIT: Syntax error corrected.
Last edited by scorp123; October 12th, 2009 at 09:10 PM. Reason: typo in the syntax ...
Ubuntu Member
As scorp123, /etc/hosts.deny is another option. I tried both IP Tables and /etc/hosts.deny earlier today and could not get a proper test of which is less of a burden on system resources.
However, instead of this;
I would propose skipping the DNS lookups, since you are checking your logs periodically any way.Code:ALL: 77.88.0.0/18ALL: .yandex.ru
These were collected from whois:Code:ALL: 77.88.0.0/18 ALL: 77.88.29.0/24 ALL: 77.88.28.0/22 ALL: 77.88.24.0/21
|code]
whois 77.88.29.248|grep route|sed -e "s/route:/ALL:/;s/ */ /"[/code]
Iced Blended Vanilla Crème Ubuntu
Efficient ??
That doesn't always work. Some routers will only forward to the same port number. I don't have an explanation for why, it's just an issue I've run into.
I will say this about changing the port; IANA says 49152 to 65535 are the Dynamic / Private ports so I'd pick something in that port range.
Granted, some people consider changing the port to be "security through obscurity" but if you can make your front door invisible as well as locking it, why not ??
Adv Reply
Bookmarks