3

I have this range of IPS 197.192.x.x that is brute force attacking my pop/imap/smtp servers day after day.

I have this ipset in place that is blocking every IP that tries to hack on my server.

I would like to block access for pop/smtp/imap for all IPs starting with 197.192

To do this, I have typed this command:

ipset -A myIpset 197.192.0.0/24

but this added 65536 IPs to my ipset, making it huge and now I cannot add more IPs to it.

Is there another way to do this in a more elegant way?

Duck
  • 4,434
  • 19
  • 51
  • 64

2 Answers2

4

You can add another ipset to block, this time of type hash:net, and add 197.192.0.0/16 to that ipset. Or replace your ipset with one of type hash:net since hash:net can store IP addresses as well (netmask 32).

To convert from hash:ip to hash:net:

 ipset save myIpset > myIpset &&
   ipset destroy myIpset &&
   sed s/:ip/:net/ myIpset | ipset restore &&
   ipset add myIpset 197.192.0.0/16
Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501
  • thanks. Your command did not work for me, but I got the idea and created a hash:net ipset and now I can add ranges of IPs to that. Just one question, why 0/16? wouldn't it be 0/24? – Duck Apr 30 '13 at 22:50
  • 1
    @DigitalRobot: according to your own question it would be `/24`. Probably a typo. – 0xC0000022L Jun 30 '14 at 22:20
  • @0xC0000022L, to _block all the 65536 IPs starting with 197.192_ as asked in the question, you need `197.192.0/16`. `192.192.0.0/24` is the 256 IP addresses starting with `197.192.0`. – Stéphane Chazelas Jul 01 '14 at 07:50
  • @StéphaneChazelas: I know how subnets are calculated. I was just speculating. However, the original question with `/24` is unlikely to add 64k IP addresses to the set. – 0xC0000022L Jul 01 '14 at 10:17
2

You could just not use an ipset for that; iptables can match networks fairly easily:

iptables -I INPUT -s 197.192.0.0/16 -p tcp --dports smtp,imap,pop3 -j DROP

or similar.

BTW: Have you reported the abuse to [email protected] as requested in AfriNIC Whois? Worth a try...

derobert
  • 107,579
  • 20
  • 231
  • 279
  • Downvote: The question was about an IP set specifically and using a single static rule per network when potentially other networks may join the group of blocked networks calls for IP sets as opposed to one rule per network. The network can be dynamically added to an existing IP set, whereas with the `iptables` rule you need to `-I` the rule at the right position, if it's doing something other than dropping or rejecting. I think the OP is completely right in making use of an IP set. – 0xC0000022L Jun 30 '14 at 22:21
  • Original question included this "Is there another way to do this in a more elegant way?" which makes this answer more than just a little valid. Plus, the original question was stated as "to avoid flooding my ipset" which in NO way limits the answer to IPset responses, and in fact invites answers other than IPset even without the Explicit "more elegant way". So ... upvote it if it works for you. Although the missing - in front of the p and dports failure was a bit of a problem. I generally don't bother with port blocking. Attacks result in IP blocking completely. IMHO. – TheSatinKnight Apr 21 '22 at 01:46