Tech/Suppressing Chinese IPs (Unix Servers) >
A common problem that anyone watching their Internet attached systems will notice is that an incredibly huge amount of the scan based random network attack traffic seems to originate from China. Whether it's incessant attempts to brute force SSH/root passwords, random user/pass attempts, HTTP probes for installed rootkits or vulnerable software, every IP on the Internet seems to be in the crosshairs for this crap.
Personally, I keep my servers up to date and I am not worried about actual vulnerability exposure. None of these random scan script kiddie attacks are going to work on my system. Never-the-less, the over-all log load is annoying, aggravating to sift through for what I'm actually interested in seeing, and considering none of my server content is targeted at a Chinese audience, I just block the whole damn country.
Blocking ALL Chinese IP Addresses
The following will detail how I go about establishing a complete IP block for China on my server.
List of Chinese IP Address Ranges
The first step to implementing this is to obtain a list of IP addresses for China. I obtained this list from the following URL:
I parsed this into a CIDR based IP address list which you can download here (right click/save):
My Favorite Script: killip
Next up is a quick script I wrote and place in /usr/local/sbin to make blocking IPs easy using iptables.
#!/bin/bash # script to kill an ip address if [ -z "$1" ]; then echo "execution: $0 <ipaddress>" exit fi if [ "$USER" != "root" ]; then echo "Execution requires root. Run via sudo." exit fi # block the IP iptables -I INPUT -s $1 -j DROP # record address in drop list echo "$1 # dropped `date`" >> /var/log/iptables_droplog
Stick that in /usr/sbin/local and chmod it:
# chmod 700 /usr/sbin/local/killip
With the IP list and the killip script, this step is easy:
# for ChinaIP in `cat chinese_iplist`; do killip $ChinaIP; done
No more China harassment in your auth and httpd logs!
Sorry Non-Scriptkiddie China
Not everyone in China is a government funded cyber attack scanner. In fact, very few are. This approach, as a result, marginalizes Chinese net-users even further than they already are due to government firewalls and censorship.
This is not a security measure. Deploying this solution in your environment does not improve your security by any means -- there are plenty of scanner/attack probes (both user and bot ran) all around the world. The only way to maintain a secure system is to keep your software up-to-date, and be security mindful when implementing your environment.
On the other hand, making this change cuts down on my daily intrusion attempt and exploit probe count from an average of ~800 to ~10. The sheer volume of scan/attack traffic from China is mind-blowing, and as a result, culturally they need to acknowledge and deal with this problem if the prospect of individual operators black-holing China wholesale is a concern for them.
So while I acknowledge it is a probably a case of a few bad apples making the bunch look rotten, those are some really bad apples and I don't want them stinking up my server logs.