Tech/Suppressing Chinese IPs (Unix Servers) >

A common problem that anyone watching their Internet attached systems will notice is that an incredibly huge amount of the scan based random network attack traffic seems to originate from China. Whether it's incessant attempts to brute force SSH/root passwords, random user/pass attempts, HTTP probes for installed rootkits or vulnerable software, every IP on the Internet seems to be in the crosshairs for this crap.

Personally, I keep my servers up to date and I am not worried about actual vulnerability exposure. None of these random scan script kiddie attacks are going to work on my system. Never-the-less, the over-all log load is annoying, aggravating to sift through for what I'm actually interested in seeing, and considering none of my server content is targeted at a Chinese audience, I just block the whole damn country.

Blocking ALL Chinese IP Addresses

The following will detail how I go about establishing a complete IP block for China on my server.

List of Chinese IP Address Ranges

The first step to implementing this is to obtain a list of IP addresses for China. I obtained this list from the following URL:

I parsed this into a CIDR based IP address list which you can download here (right click/save):

My Favorite Script: killip

Next up is a quick script I wrote and place in /usr/local/sbin to make blocking IPs easy using iptables.

# script to kill an ip address

if [ -z "$1" ]; then
	echo "execution: $0 <ipaddress>"

if [ "$USER" != "root" ]; then
	echo "Execution requires root.  Run via sudo."

# block the IP
iptables -I INPUT -s $1 -j DROP

# record address in drop list
echo "$1 # dropped `date`" >> /var/log/iptables_droplog

Stick that in /usr/sbin/local and chmod it:

# chmod 700 /usr/sbin/local/killip

Blocking China

With the IP list and the killip script, this step is easy:

# for ChinaIP in `cat chinese_iplist`; do killip $ChinaIP; done

No more China harassment in your auth and httpd logs!

Sorry Non-Scriptkiddie China

Not everyone in China is a government funded cyber attack scanner. In fact, very few are. This approach, as a result, marginalizes Chinese net-users even further than they already are due to government firewalls and censorship.

This is not a security measure. Deploying this solution in your environment does not improve your security by any means -- there are plenty of scanner/attack probes (both user and bot ran) all around the world. The only way to maintain a secure system is to keep your software up-to-date, and be security mindful when implementing your environment.

On the other hand, making this change cuts down on my daily intrusion attempt and exploit probe count from an average of ~800 to ~10. The sheer volume of scan/attack traffic from China is mind-blowing, and as a result, culturally they need to acknowledge and deal with this problem if the prospect of individual operators black-holing China wholesale is a concern for them.

So while I acknowledge it is a probably a case of a few bad apples making the bunch look rotten, those are some really bad apples and I don't want them stinking up my server logs.