I was looking at the logs on a couple of my servers the other day. One of them was experiencing about 600,000 attempts per month to guess passwords. Oddly enough, more than 630,000 attempts in a two month period came from four IP address within one block in China, 116.31.116.0/24. The number of attempts is somewhat imprecise because often the logs will show something like "last message repeated 2 times".
I have one computer that I'm waiting for a new hard drive (should be here Friday). While waiting, I've been trying out the latest release of OpenBSD 6.1 on the system.
Yesterday, I downloaded a couple of zone files containing the vast majority of assigned ip address blocks, one for IPv4 and one for IPv6 for the United States. I then configured my firewall to reject all attempts to connect to ssh and telnet on that machine from IP addresses outside of the IPv4 and IPv6 blocks of addresses in the two zone files. The new rule went live a little less than 21 hours ago,
Since then, using those rules, only 2 addresses have connected to try the machine for a total of about 5 times between them. More than 1800 separate attempts have been rejected by the filter.
Also, I have my computer configured to download the latest zone tables for the US every day and update the files based on that by using wget:
wget -O us4_table http://www.ipdeny.com/ipblocks/data/aggregated/usa-aggregated.zone
wget -O us6_table http://www.ipdeny.com/ipv6/ipaddresses/blocks/us.zone
The one problem with that approach, is that the zone files I'm using skip smaller blocks. It's possible that someone from a smaller block not in that zone file might need access to our computers. So what I'm planning on doing is loading all the zone files except the US zone file and rejecting attempts to connect to ssh or telnet from any of the foreign addresses.
There is a minor problem with rejecting from any of the foreign addresses because of the size of the table. On OpenBSD, the maximum size of a table used for that purpose is 100,000 entries and the IPv4 file is about 150,000 entries.
Since two adjacent blocks can be in separate countries, then they both show up in the list. I think that if I write a program that combines adjacent blocks, when possible, it might reduce the number of entries for the table sufficiently to fit. Another possibiity would b to replace all the entries in each /8 block used by APNIC, AFRINIC, RIPE NCC, and LACNIC with just the /8 for that block. Interestingly enough, there are a few blocks listed as being US IP addresses that are in non-ARIN blocks!
For example, 101.53.160.0/19 is in an APNIC (Asia Packfic NIC) block but comes back to Salesforce.com out of San Francisco.
Similarly, 103.11.64.0/22 is in an APNIC block but comes back to HostUS in Delaware.
Another approach might be to use an adaptive approach and not block anyone at the start. Instead, whenever it sees an attempt to connect, it would check to see if the IP address is in a foreign block and if it is, add the block to the table. There are undoubtedly many blocks that we would never see an attempt. Since OpenBSD lets you pass the syslog informaton to a separate program, it's not that difficult to use a separate program to detect attempts to log on, check the IP address against the foreign blocks, and if it finds them, to add the entire block to the table. Unless they make a number of connection attempts all at once, as some do, they would be blocked by the time they make a second attempt.
I have one computer that I'm waiting for a new hard drive (should be here Friday). While waiting, I've been trying out the latest release of OpenBSD 6.1 on the system.
Yesterday, I downloaded a couple of zone files containing the vast majority of assigned ip address blocks, one for IPv4 and one for IPv6 for the United States. I then configured my firewall to reject all attempts to connect to ssh and telnet on that machine from IP addresses outside of the IPv4 and IPv6 blocks of addresses in the two zone files. The new rule went live a little less than 21 hours ago,
Since then, using those rules, only 2 addresses have connected to try the machine for a total of about 5 times between them. More than 1800 separate attempts have been rejected by the filter.
Also, I have my computer configured to download the latest zone tables for the US every day and update the files based on that by using wget:
wget -O us4_table http://www.ipdeny.com/ipblocks/data/aggregated/usa-aggregated.zone
wget -O us6_table http://www.ipdeny.com/ipv6/ipaddresses/blocks/us.zone
The one problem with that approach, is that the zone files I'm using skip smaller blocks. It's possible that someone from a smaller block not in that zone file might need access to our computers. So what I'm planning on doing is loading all the zone files except the US zone file and rejecting attempts to connect to ssh or telnet from any of the foreign addresses.
There is a minor problem with rejecting from any of the foreign addresses because of the size of the table. On OpenBSD, the maximum size of a table used for that purpose is 100,000 entries and the IPv4 file is about 150,000 entries.
Since two adjacent blocks can be in separate countries, then they both show up in the list. I think that if I write a program that combines adjacent blocks, when possible, it might reduce the number of entries for the table sufficiently to fit. Another possibiity would b to replace all the entries in each /8 block used by APNIC, AFRINIC, RIPE NCC, and LACNIC with just the /8 for that block. Interestingly enough, there are a few blocks listed as being US IP addresses that are in non-ARIN blocks!
For example, 101.53.160.0/19 is in an APNIC (Asia Packfic NIC) block but comes back to Salesforce.com out of San Francisco.
Similarly, 103.11.64.0/22 is in an APNIC block but comes back to HostUS in Delaware.
Another approach might be to use an adaptive approach and not block anyone at the start. Instead, whenever it sees an attempt to connect, it would check to see if the IP address is in a foreign block and if it is, add the block to the table. There are undoubtedly many blocks that we would never see an attempt. Since OpenBSD lets you pass the syslog informaton to a separate program, it's not that difficult to use a separate program to detect attempts to log on, check the IP address against the foreign blocks, and if it finds them, to add the entire block to the table. Unless they make a number of connection attempts all at once, as some do, they would be blocked by the time they make a second attempt.