[CentOS] Can one construct an IPTables rule to block on NS records?

James B. Byrne Mon, 05 Oct 2015 06:48:09 -0700

This is the same origin that I reported on earlier.  Apparently asking
for an explanation of why they were probing our sites only encouraged
them to make additional attempts.


 sshd:
    Authentication Failures:
       unknown (ip-173-201-178-18.ip.secureserver.net): 2 Time(s)
       unknown (ip-97-74-196-33.ip.secureserver.net): 2 Time(s)
       unknown (ip-97-74-202-95.ip.secureserver.net): 2 Time(s)
       root (ip-173-201-252-24.ip.secureserver.net): 1 Time(s)
       root (ip-72-167-249-196.ip.secureserver.net): 1 Time(s)
       root (ip-72-167-251-87.ip.secureserver.net): 1 Time(s)
       root (ip-97-74-121-108.ip.secureserver.net): 1 Time(s)
       root (ip-97-74-193-219.ip.secureserver.net): 1 Time(s)
       root (ip-97-74-206-13.ip.secureserver.net): 1 Time(s)
       unknown (ip-173-201-252-24.ip.secureserver.net): 1 Time(s)
       unknown (ip-72-167-249-196.ip.secureserver.net): 1 Time(s)
       unknown (ip-72-167-251-87.ip.secureserver.net): 1 Time(s)
       unknown (ip-97-74-121-108.ip.secureserver.net): 1 Time(s)
       unknown (ip-97-74-193-219.ip.secureserver.net): 1 Time(s)
       unknown (ip-97-74-206-13.ip.secureserver.net): 1 Time(s)
    Invalid Users:
       Unknown Account: 12 Time(s)

So, is there any convenient way to construct an IPTables rule to block
all IPs associated with a given Domain Name server?


dig -x 173.201.178.18

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> -x 173.201.178.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1357
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;18.178.201.173.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
18.178.201.173.in-addr.arpa. 3600
IN      PTR     ip-173-201-178-18.ip.secureserver.net.

;; AUTHORITY SECTION:
201.173.in-addr.arpa.   66199   IN      NS      cns2.secureserver.net.
201.173.in-addr.arpa.   66199   IN      NS      cns1.secureserver.net.

;; ADDITIONAL SECTION:
cns2.secureserver.net.  172800  IN      A       216.69.185.100
cns2.secureserver.net.  172800  IN      AAAA    2607:f208:303::64
cns1.secureserver.net.  172800  IN      A       208.109.255.100
cns1.secureserver.net.  172800  IN      AAAA    2607:f208:207::64


Like say, cns{1,2}.secureserver.net.  Or an entire domain? Say
secureserver.net. ?


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Can one construct an IPTables rule to block on NS records?

Reply via email to