Hi there,
On Fri, 22 Jan 2010 clamav-users-requ...@lists.clamav.net lists wrote:
> Every day I am notified from ClamAV that the following IP
> "75.112.128.242" is sending me a Virus / Trojan:
I would put that one in the tarpit, but you don't have that luxury. :(
You could firewall the offending IP:
ipcop_root_prompt ~ # /sbin/iptables -I INPUT -j DROP -s 75.112.128.242
but in the interests of preserving sanity I'd suggest you turn off the
notifications and just look at the logs now and again.
Typically these IPs are in use by compromised PCs and normally they go
away - user reinstalls Windows, ISP cuts the service, whatever - after
between a few days and a few weeks. But while they are active they're
a bit of a nuisance.
Unfortunately there are many millions of other IPs which will be trying
to send similar malware, malicious mail, spam, scams, and all sorts of
other junk when they find out about you. You really don't want to be
reading about them in emails nor adding them all to your kernel's drop
list, especially not by hand, not least because:
1. You'll get repetitive strain injuries. :(
2. The performance of iptables goes rapidly downhill when you start to
add thousands of rules to the tables. Using a modfication to iptables
called ipset I've set up 27 BLOCKSETs, one of which is populated
automatically and the others (semi-)manually. I block anything from a
single IP (BLOCKSET32) to a whole /8 (BLOCKSET08) and yet I still have
only 27 rules in the table. Most firewalling is done automatically by
scripts which monitor the logs for undesired connections. They produce
very large numbers of rules. In this case they would block the entire
/24 network. If I were to do it by hand, first I'd investigate the ISP
----------------------------------------------------------------------
| laptop:~/junk$ >>> whois 75.112.128.242
| BRIGHT HOUSE NETWORKS, LLC BLOCK-9 (NET-75-112-0-0-1)
| 75.112.0.0 - 75.115.255.255
| Bright House Networks - CFL Division COMM-SRVCS-2 (NET-75-112-128-0-1)
| 75.112.128.0 - 75.112.131.255
----------------------------------------------------------------------
and then I'd probably block the whole /14, not just the /24:
root_prompt ~ # /sbin/iptables -A BLOCKSET14 -s 75.112.0.0
(This command won't work for you, because you haven't installed ipsets
nor the ipset rule called BLOCKSET14 that I've created).
To give you an idea of what you're up against, here are the counts for
the automatically populated BLOCKSET and for the whole lot:
[r...@mail3 ~]# ipset -L BLOCKSET | grep -v : | wc -w
36271
[r...@mail3 ~]# ipset -L | grep -v : | wc -w
57342
Many of these IPs are taken from public RBLs and the like, I didn't
type them all by hand!
So in the last five years or so there are about 36,000 /24 networks
which have been blocked by my firewall scripts for sending junk, and
over 21,000 networks of other sizes from /8 to /24. Only 106 of the
networks blocked at the moment are smaller than /24. Here are the
26 BLOCKSETS complete (excluding the one automatic BLOCKSET list).
[r...@mail3 ~]# for i in 08 .... 32; do ipset -L BLOCKSET$i | grep -v : | wc -w
; done
38 <- BLOCKSET08
5
16
62
110
185
276
472
1867
682
1349
3381
2622
1495
1666
2086
3740 <- BLOCKSET24
37
22
20
7
11
2
1
6 <- BLOCKSET32
Yes, that really is 38 /8 networks that are firewalled here.
It's still not particularly peaceful in my server logs.
--
73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
