iptables +block country

Amedee Van Gasse (ub) amedee-ubuntu at amedee.be
Thu Aug 19 08:29:00 UTC 2010 

On Tue, August 17, 2010 06:41, NoOp wrote:
> On 08/16/2010 12:27 PM, Brian wrote:
>> On Mon 16 Aug 2010 at 12:18:24 -0700, NoOp wrote:
>>
>>> It's a private machine, private home network Brian. My machines, my
>>> rules :-)
>>
>> Of course it is. Just like every other machine on the network.
>>
>
> And so your objection to me using iptables (or any other method) to
> block by country et al is?
>
> At this point it's probably better to move this over to sounder, but I'd
> still like to know why the objection to block by country AS/cidr on a
> private home machine/network seems to raise objections. I don't offer an
> internet facing service, I don't offer access to my machine(s) from
> outside sources unless previously authorised, and I simply do not like
> bot scans from the likes already mentioned.
>
> I'm not biased as to race, country, whatever (I reckon that I may
> visited China before Sandy was in school, lived in Hong Kong,
> lived/worked in Asia for over 30 years), I'm just tired of bots "ringing
> my doorbell" and taking up resources in the process.
>
> I've already demonstrated from the ~/.xsessions-error log whereby 5900
> (VNC) requests show up. Note that denyhosts etc., primarily only scan
> /var/log/auth.log unless specifically tuned to scan other logs. A VNC
> 5900 attempt will not go into /var/log/auth.log, or any other apparent
> /var/log/. It was only by accident that I noticed the entry in
> ~/.xsessions-errors - I would have never thought to look there were I
> not checking something else. It was only then that I compared against my
> router logs.
>
> I'm not a GWF; I'm just security concious and simply wish to stop these
> from popping in and making botnet attempts when I open a VNC port on
> occasion. I still accept and correspond with selected contacts in
> China/HK etc., so what is your (and Sandy's objection) if I block
> botnets by country or otherwise from my systems?

Because it is a private machine on your private network, may I suggest
that you only open port 22 (ssh) and drop all other incoming connections?
You should be able to tunnel all connections over ssh with port
forwarding.

You can increase security with fail2ban: 3 failed attempts and they're
blocked.

If you are really paranoid, you should look at portknocking: no public
facing ports are open at all, not even ssh. A daemon "listens" to a
specific sequence of port "knocks", and creates an accept rule in iptables
for that specific ip address.
I have not tried it myself and I'm not sure if I explained it well.

-- 
Amedee

More information about the ubuntu-users mailing list