Can someone Provide me with range of chinesse ips so i can ban?

Hello,
This is getting annoying on my another server of mine i have been getting login attempts from china/korea , so if someone knows a complete lists of potential chinesse/korean ips that should be banned please list them , sorry i have nothing againt china or anyone from there , but it is those few people that ruin the image of the whole country .

Current login attempts as noticed are :


> --------------------- pam_unix Begin ------------------------
>
> crond:
> Unknown Entries:
> session closed for user root: 311 Time(s)
> session opened for user root by (uid=0): 311 Time(s)
>
> sshd:
> Authentication Failures:
> unknown (218.188.23.45): 4935 Time(s)
> unknown (211.230.148.87): 1674 Time(s)
> root (218.188.23.45): 95 Time(s)
> root (211.230.148.87): 34 Time(s)
> gopher (218.188.23.45): 13 Time(s)
> unknown (210.91.16.5): 12 Time(s)
> apache (211.230.148.87): 10 Time(s)
> adm (211.230.148.87): 9 Time(s)
> ftp (211.230.148.87): 9 Time(s)
> john (211.230.148.87): 9 Time(s)
> squid (218.188.23.45): 8 Time(s)
> mail (211.230.148.87): 7 Time(s)
> root (210.91.16.5): 7 Time(s)
> vcsa (218.188.23.45): 7 Time(s)
> pcap (218.188.23.45): 6 Time(s)
> shutdown (218.188.23.45): 6 Time(s)
> nscd (218.188.23.45): 5 Time(s)
> ntp (218.188.23.45): 5 Time(s)
> webalizer (218.188.23.45): 5 Time(s)
> adm (218.188.23.45): 4 Time(s)
> apache (218.188.23.45): 4 Time(s)
> daemon (218.188.23.45): 4 Time(s)
> dave (211.230.148.87): 4 Time(s)
> dovecot (218.188.23.45): 4 Time(s)
> ftp (218.188.23.45): 4 Time(s)
> games (218.188.23.45): 4 Time(s)
> halt (218.188.23.45): 4 Time(s)
> lp (218.188.23.45): 4 Time(s)
> mail (218.188.23.45): 4 Time(s)
> mailnull (218.188.23.45): 4 Time(s)
> named (218.188.23.45): 4 Time(s)
> news (218.188.23.45): 4 Time(s)
> nobody (218.188.23.45): 4 Time(s)
> operator (218.188.23.45): 4 Time(s)
> rpc (218.188.23.45): 4 Time(s)
> rpm (218.188.23.45): 4 Time(s)
> smmsp (218.188.23.45): 4 Time(s)
> sync (218.188.23.45): 4 Time(s)
> uucp (218.188.23.45): 4 Time(s)
> sshd (218.188.23.45): 3 Time(s)
> bin (218.188.23.45): 2 Time(s)
> john (210.91.16.5): 1 Time(s)
> Invalid Users:
> Unknown Account: 6621 Time(s)
>
>
> ---------------------- pam_unix End -------------------------
>
>
> --------------------- sendmail Begin ------------------------
>
>
>
> Bytes Transferred: 5930
> Messages Sent: 2
> Total recipients: 2
> ---------------------- sendmail End -------------------------
>
>
> --------------------- SSHD Begin ------------------------
>
>
> SSHD Killed: 1 Time(s)
>
> SSHD Started: 1 Time(s)
>
> Failed to bind:
> 0.0.0.0 port 22 (Address already in use) : 1 Time(s)
>
> Failed logins from these:
> adm/password from ::ffff:211.230.148.87: 9 Time(s)
> adm/password from ::ffff:218.188.23.45: 4 Time(s)
> apache/password from ::ffff:211.230.148.87: 10 Time(s)
> apache/password from ::ffff:218.188.23.45: 4 Time(s)
> bin/password from ::ffff:218.188.23.45: 2 Time(s)
> daemon/password from ::ffff:218.188.23.45: 4 Time(s)
> dave/password from ::ffff:211.230.148.87: 4 Time(s)
> dovecot/password from ::ffff:218.188.23.45: 4 Time(s)
> ftp/password from ::ffff:211.230.148.87: 9 Time(s)
> ftp/password from ::ffff:218.188.23.45: 4 Time(s)
> games/password from ::ffff:218.188.23.45: 4 Time(s)
> gopher/password from ::ffff:218.188.23.45: 13 Time(s)
> halt/password from ::ffff:218.188.23.45: 4 Time(s)
> john/password from ::ffff:210.91.16.5: 1 Time(s)
> john/password from ::ffff:211.230.148.87: 9 Time(s)
> lp/password from ::ffff:218.188.23.45: 4 Time(s)
> mail/password from ::ffff:211.230.148.87: 7 Time(s)
> mail/password from ::ffff:218.188.23.45: 4 Time(s)
> mailnull/password from ::ffff:218.188.23.45: 4 Time(s)
> named/password from ::ffff:218.188.23.45: 4 Time(s)
> news/password from ::ffff:218.188.23.45: 4 Time(s)
> nobody/password from ::ffff:218.188.23.45: 4 Time(s)
> nscd/password from ::ffff:218.188.23.45: 5 Time(s)
> ntp/password from ::ffff:218.188.23.45: 5 Time(s)
> operator/password from ::ffff:218.188.23.45: 4 Time(s)
> pcap/password from ::ffff:218.188.23.45: 6 Time(s)
> root/password from ::ffff:210.91.16.5: 7 Time(s)
> root/password from ::ffff:211.230.148.87: 34 Time(s)
> root/password from ::ffff:218.188.23.45: 95 Time(s)
> rpc/password from ::ffff:218.188.23.45: 4 Time(s)
> rpm/password from ::ffff:218.188.23.45: 4 Time(s)
> shutdown/password from ::ffff:218.188.23.45: 6 Time(s)
> smmsp/password from ::ffff:218.188.23.45: 4 Time(s)
> squid/password from ::ffff:218.188.23.45: 8 Time(s)
> sshd/password from ::ffff:218.188.23.45: 3 Time(s)
> sync/password from ::ffff:218.188.23.45: 4 Time(s)
> uucp/password from ::ffff:218.188.23.45: 4 Time(s)
> vcsa/password from ::ffff:218.188.23.45: 7 Time(s)
> webalizer/password from ::ffff:218.188.23.45: 5 Time(s)
>


the lists continues and will take up 2 3 pages here if i were to post it here .
So does anyone have full ips list that should always remain banned?

There you go added few ips in banned list :

[root@localhost apf]# iptables -I INPUT -p tcp -s 218.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 218.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 211.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p tcp -s 211.0.0.0 -j DROP
[root@localhost apf]#



Edit: Here are more ips that are banned now , all originate from either korea , malaysia, china,japan. Man dont theses guys have anything better to do?


[root@localhost apf]# iptables -I INPUT -p tcp -s 220.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 220.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 221.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p tcp -s 221.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p tcp -s 61.152.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 61.152.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 60.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p tcp -s 60.0.0.0 -j DROP

Thanks

These are usually exploiting servers and mostly owned by the chinese govt themselves. We have a couple of them and tried complaining, its pointless.

Like you, we normally use APF to ban them.

Install bfd - that will take care of the problem. Switch the ssh port and use portsentry if you want max security.

did anybody know that there is a way in cpanel to take over ssh.... don't really feel like telling anybody here because all servers running cpanel are open notified cpanel.net

did anybody know that there is a way in cpanel to take over ssh.... don't really feel like telling anybody here because all servers running cpanel are open notified cpanel.net
So, you'r the only one who noticed? Server config done badly? And what is take over? Jailshell?

yes, I knew, its been open knowledge on underground forums for years, however, this is a much older version of cpanel (cpanel 6 and below)

nope still works...... It uses cpanel. Change root password and login.. Simple hope no one finds out before cpanel releases update :crying5:

Try disabling your SSH service, if your hosting plans don't include SSH access.

No cannot disable ssh cause i am hosting game servers on the said server , webhosting is done on seprate server which doesnt seem to be having much issues.

nope still works...... It uses cpanel. Change root password and login.. Simple hope no one finds out before cpanel releases update :crying5:
Tell me your jokeing.
Please.
*updates cpanel*

I had one... Did you hardened your servers? How did they entered? Also it is not good block all country IPs via Software Firewall, isn't it? Better use HW to block.. big range of IPs.. lol Maybe I am wrong:)

Just change the port # of SSH to some random port.

Just change the port # of SSH to some random port.


I know that i change ports for ssh ever week. But i need ips to remain banned.

Why don't you block all Ip addreses all from certain countries?

Why not just block all countries?

I wouldn't block ranges of IPs unless if I really had to. Your log shows only a few IPs of breach attempts.

Did you try the following style on your APF?

"/etc/apf/apf -d 218.188.23.45 breach attempts: please go away"

BFD is installed?

I don't think he's using BFD... If you block IPs they'll just use different ones until they get in... Without prejudice to Geography. Get the BFD in there, AFP first! They work great together... if you really want to blast them away, I love using DOS Deflate (http://forums.deftechgroup.com/showthread.php?t=825) as third supplement. You can set the timespan to ban the IPs

Why not just block all countries?


Lol good idea how about apf -d 0.0.0.0.0 Hacker

Sounds like a magical solution to me. :)

Lol good idea how about apf -d 0.0.0.0.0 Hacker

You can also try limiting SSH so it's only accessable from your IP, in your /etc/ssh/sshd_config "ListenAddress" which is probably commented.

so if they use proxy?
will they still can try to access?

so if they use proxy?
will they still can try to access?

If you are talking about the ListenAddress I mentioned, no.

Only the specified IP can access the SSH with the ListenAddress set, no other IP can.

so if they use proxy?
will they still can try to access?

yes, if you are telling about the HTTP. To access ssh no http proxy is allowed. http proxies will not work on ssh. To make ssh lame you need to use ssh tunnel same laming technology which is used on http.

But as James Said, if you are using ListenAddress then one IP will be allowed to access the shell on your server. It only can be done by the admin if he is using only one IP to access his ssh as well as most of the server works.

And to ban the whole range you made some wrongs:

[root@localhost apf]# iptables -I INPUT -p tcp -s 218.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 218.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 211.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p tcp -s 211.0.0.0 -j DROP

It should not be like that. It should be like this:

iptables -A INPUT -s 218.0.0.0/8 -j DROP
iptables -A INPUT -s 211.0.0.0/8 -j DROP

Changing the IP will ban with the whole range like 211.0.0.0 - 255.0.0.0

You also can do this

218.1.1.0/24 (To Ban Upto 255.255.255.0)
218.1.0.0/16 (To Ban Upto 255.255.0.0)

Regards

Well regarding listen address i do not have single ip as it changes from location to location (no i dont sit at home all the time). So how to put and allow more than 1 ip to listen to .

And thanks talence i know what /24 and /16 mean. But what does /8 mean?

But what does /8 mean?
255.0.0.0

255.0.0.0
But what does /8 mean?

Corrent what ingfina said, and i also informed that in my reply. its like this:

if you use 218.0.0.0/8 then it will ban all the IPs upto 218.0.0.0 - 255.0.0.0

It will contain 16777216 IPs.

You also can use 218.0.0/7
It mean like this:
218.0.0.0/7 = 218.0.0.0 through 219.255.255.255

This will contain 33554432 IPs.

Regards