On 8/14/22, Matthias Böttcher wrote: > Am So., 14. Aug. 2022 um 09:51 Uhr schrieb Reco : > >> Personally I don't use fail2ban for sshd. Because why bother with >> userspace (written in python too, yuck) if the kernel does the same job? >> I.e. block M$ AS, China Telecom AS and maybe add Eastern Europe to the >> mix, and you've just reduced the number of offending logins by two >> orders of magnitude. > > Hi Reco, > > how do I block these ip ranges? > Which source can I use to determine the geo location of ip addresses?
I'd suggest a white-list approach - ie. allow ssh from <these> networks instead of playing wack-a-mole, but if you _really_ want to block by country 1. learn expect 2. figure out how to script this bit: get a list of ASNs (Autonomous System Number) for that country - eg https://ipinfo.io/countries/cn find some route servers that give you telnet access - eg. https://bgp4.as/looking-glasses you want the CATEGORY 2 - IPv4 AND IPv6 BGP ROUTE SERVERS BY REGION (TELNET ACCESS) table at the end of the page figure out the correct syntax for showing bgp routes transiting the target ASN for cisco routers it's "sh ip bgp regexp _ASN#_" so show all routes transiting that ASN route-server.he.net seems to be a cisco router, so $ telnet route-server.he.net ... route-server> sh ip bgp regexp _4812_ BGP table version is 0, local router ID is 64.62.142.154 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * i36.111.0.0/20 64.62.244.62 0 100 0 4134 4134 4812 i *>i 118.85.205.25 100 0 4134 4812 i * i 118.85.205.25 100 0 4134 4812 i * i 216.218.252.178 0 100 0 4134 4134 4812 i * i 216.218.252.164 0 100 0 4134 4134 4812 i * i 209.51.191.134 0 100 0 4134 4134 4812 i * i 209.51.191.134 0 100 0 4134 4134 4812 i * i 118.85.205.25 100 0 4134 4812 i * i 209.51.191.134 0 100 0 4134 4134 4812 i * i 209.51.191.134 0 100 0 4134 4134 4812 i * i 64.62.244.62 0 100 0 4134 4134 4812 i * i 64.62.151.102 0 100 0 4134 4134 4812 i * i 64.62.244.62 0 100 0 4134 4134 4812 i * i 209.51.191.134 0 100 0 4134 4134 4812 i * i 209.51.191.134 0 100 0 4134 4134 4812 i * i 216.218.252.169 0 100 0 4134 4134 4812 i * i36.255.128.0/22 118.85.205.25 100 0 4134 4812 63570 i * i 118.85.205.25 100 0 4134 4812 63570 i *>i 118.85.205.25 100 0 4134 4812 63570 i * i40.0.176.0/21 62.115.181.197 48 70 0 1299 4134 4812 4249 i * i 62.115.14.5 48 70 0 1299 4134 4812 4249 i And don't forget to block ipv6, so route-server> sh bgp ipv6 regexp _4812_ BGP table version is 0, local router ID is 64.62.142.154 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * i2400:6600::/32 2a04:f580:8210:100::9 0 100 0 4134 4812 9812 i * i 2001:470:0:38e::2 0 100 0 4134 4812 9812 i * i 2001:470:0:38e::2 0 100 0 4134 4812 9812 i * i 2001:470:0:5f::2 0 100 0 4134 4812 9812 i * i 2001:470:0:1a::1 0 100 0 4134 4812 9812 i * i 2001:470:0:5f::2 0 100 0 4134 4812 9812 i * i 2001:470:0:5f::2 0 100 0 4134 4812 9812 i Regards, Lee
