It's probably just a crazy idea, but what about static? you can use the ip command, "ip route" to filter the subnet of France and Croatia, won't affect the performance so much. I don't know which one is the right subnet, see this site maybe http://www.countryipblocks.net/country-blocks/select-formats/
http://linux-ip.net/html/tools-ip-route.html ip route tutorial this is with iptables instead http://www.howtoforge.com/blocking-ip-addresses-of-any-country-with-iptables #!/bin/ bash # # Blocking IP 4 Countries : RoMiONeT #First article was for marchost at howtoforge.com # #This SCript is for blocking ips of countries u want # # All Rights are reserved By : RoMiONeT # # for any further help please contact us at # # ( [email protected] [email protected] ) # #################################### echo "Blocking IPS of any country By : RoMiONeT" echo "" echo "To know code of countries which you want to block" echo "you can enter ( http://www.blogama.org/country.txt )" echo "" sleep 3 echo "Below you can type code of country Ex. ( IL ) for Israel " echo -n " Enter Code : " read code wget -c --output-document=ips4countries.txt http://blogama.org/country_query.php?country=$code for i in `cat /root/ips4countries.txt` do iptables -I INPUT -s ${i} -j DROP done ; echo "Best Regards" echo "RoMiONeT" echo "[email protected] & [email protected]" exit 0 On Jun 14, 3:10 pm, hard wyrd <[email protected]> wrote: > I agree. In our case, we use Snort and guardian to fend of "possible" > attackers. Though we added our own IP block into guardian's ignore list. > > On Sat, Jun 13, 2009 at 1:11 AM, Jeremiah Bess <[email protected]>wrote: > > > > > While it is possible, not every ISP in France and Croatia will have a .fr > > or .hr reverse DNS entry. And as a security professional, I would recommend > > keeping the log line, since you can't assume everyone in France and Croatia > > are legitimate users, and logs are your friends. > > > Another note is that setting up security on a box is not a set it and > > forget it tactic. It's constantly changing, and needs human intervention. > > Turn on extra logging, and review the logs on a regular basis. > > > Your best bet would be to install an IPS. This would look for brute force > > attacks and other attack vectors and block the offending IP. Snort can be > > used as a IPS, but it has a learning curve. BFD can be used, but only detect > > brute force attacks, not SQL injections or other maclious attempts. > > > Jeremiah E. Bess > > Network Ninja, Penguin Geek, Father of four > > > On Fri, Jun 12, 2009 at 09:08, dr. Hannibal Lecter > > <[email protected]>wrote: > > >> Hi all, > > >> As some of you might know, I'm still a noob, so bear with me :) > > >> I've recently experienced a terrible security breach on my test > >> platform at work, which is an old Fedora 5 setup. > > >> Due to the fact that this platform needs to be accessible from Croatia > >> and France, my idea was to block all countries using iptables using > >> this technique: > > >>http://www.cyberciti.biz/faq/block-entier-country-using-iptables/ > > >> I'm still learning about iptables, but since the above method would > >> introduce thousands of addresses in iptables in my case, I assume it > >> would slow everything down. > > >> So my question is: is there a way to explicitly allow hr and fr zones > >> as described in the article above, but drop everything else? > > >> Would it be enough to change the ISO codes in the script above to "hr > >> fr" and change this line > > >> $IPT -A $SPAMLIST -s $ipblock -j DROP > > >> to > > >> $IPT -A $SPAMLIST -s $ipblock -j ACCEPT > > >> And then add this at the bottom: > > >> $IPT -A INPUT -j DROP > > >> ...or, there are more changes needed in the script? (I assume I won't > >> be needing the LOG line anylonger) > > >> Thanks in advance! > > -- > Part-time SysAd, full-time Dad, part-time netNinja > CNS, ACFE, FOSS Advocate and Consultant > Registered Linux User > #400165http://www.rm2media.nethttp://baudizm.blogsome.comhttp://linuxblazon.wordpress.comhttp://3x-comic.blogspot.com (NEW!) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup -~----------~----~----~----~------~----~------~--~---
