Sadly, most of the "attacks" on my home network appear to originate from China. I say "appear to originate" because there's really way for me to be sure; it is possible that a hacker in Europe, or elsewhere, has a network of compromised computers in China all pounding away on American systems. To American system administrators, it looks like the attacks originate in China but anyone could be behind the mischief. Heck, even my next door neighbor could be behind the attacks.
About a year or so ago, I finally decided to take matters into my own hands. After crawling through a 5,000+ line /var/log/secure log file (where SSHD logs failed login attempts), I implemented several somewhat simple security policies on my home network. Most notably, I completely gave up on the continent of Asia. Yes, I blocked an entire continent from accessing my web-site and home network. It's nothing personal, I was just tired of Chinese script kiddies filling up my log files and pounding on my systems unnecessarily.
Continue reading to find out how I locked things down, and saved myself a lot of headaches.
About a year or so ago, I finally decided to take matters into my own hands. After crawling through a 5,000+ line /var/log/secure log file (where SSHD logs failed login attempts), I implemented several somewhat simple security policies on my home network. Most notably, I completely gave up on the continent of Asia. Yes, I blocked an entire continent from accessing my web-site and home network. It's nothing personal, I was just tired of Chinese script kiddies filling up my log files and pounding on my systems unnecessarily.
Continue reading to find out how I locked things down, and saved myself a lot of headaches.
I took a four step approach to my security problems. First, I locked down my router as much as possible by only opening the ports I really cared about (or needed to have open, like port 80 for web-traffic, and port 22 for SSH). Second, I blocked unnecessary incoming traffic (from Asia and other locations) using iptables. Third, I hardened Apache as much as I could using .htaccess files where appropriate. And finally, I configured and isolated a CentOS VMware guest to run kolich.com, which separates the externally visible content and systems from the other really important "stuff" on my network. In other words, if someone actually compromised the VMware instance running my web-site, they won't be able to get into anything else on my network.
Surprisingly, locking out an entire continent is actually an easier task than you might think. Some administrators have locked out Asia using a special Apache .htaccess file, that denies requests based on IP blocks. That works OK for locking down Apache, but I also wanted to drop incoming SSH traffic from IP's I didn't trust. The solution is to get busy with iptables.
First, you need to find a list of all Chinese owned IP blocks. The best resource I've found for this is at http://www.okean.com/antispam/sinokorea.html. Once you have the Asian IP block list, you'll need to configure IP tables to DROP any incoming requests from these blocks. For convenience, I wrote a quick Perl script to do the work for me:
iptables-firewall.tar.gz (8K)
Inside of iptables-firewall.tar you'll find an access.list file and a firewall.pl Perl script. The access.list file is pre-configured to drop packets from all of the IP blocks at http://www.okean.com/antispam/sinokorea.html. However, you should jump to the bottom of access.list and add any trusted IP's (e.g., work and home) that you want to accept SSH traffic from. By default, any other incoming requests on port 22 from addresses you don't trust will be dropped. If you're using NAT, and your local subnet is on 192.168.00/16, then you should have a line like this in access.list:
INPUT -s 192.168.00/16 -p tcp --dport 22 -j ACCEPT
The last line in access.list denys incoming SSH traffic from all other addresses:
INPUT -p tcp --dport 22 -j DROP
Run ./firewall.pl --enable to enable the firewall with iptables. Run ./firewall.pl --disable to delete the iptable chains (disable the firewall). Once the firewall is enabled, try to SSH into your system from another untrusted location; you shouldn't be able to and your SSH login attempt will eventually timeout.
Once you have the correct set of iptable chains in place, you might also want to secure your Apache installation by hiding the Apache server version using the ServerTokens and ServerSignature directives.
Finally, if you notice a lot of bots and other junk pounding on your Apache server, you may want to consider a nice .htaccess file to take care of it. Put this .htaccess file in the DocumentRoot of your Apache installation:
SetEnvIf User-Agent ^-$ block=1
SetEnvIf User-Agent "^Mozilla\/4\.0 \(compatible\;\)$" block=1
SetEnvIfNoCase Referer "(hold-?em|poker|casino|hotel|loan") block=1
SetEnvIfNoCase Referer "(stockleaf|mortgage|payday|pingdom)" block=1
SetEnvIfNoCase Referer "(viagra|cialis|penis|diet|porn)" block=1
SetEnvIfNoCase User-Agent "(morfeus|gigabot|emailsearch|radian)" block=1
SetEnvIfNoCase User-Agent "(baidu|MiniRedir|SurveyBot|PMAFind)" block=1
SetEnvIfNoCase User-Agent "(java|panscient)" block=1
Order allow,deny
Allow from all
Deny from env=block
This particular .htaccess file will block requests with an empty user-agent string (used by a lot of Spam bots and proxies), and should reduce Referrer Spam in your Apache logs.
Enjoy.
Surprisingly, locking out an entire continent is actually an easier task than you might think. Some administrators have locked out Asia using a special Apache .htaccess file, that denies requests based on IP blocks. That works OK for locking down Apache, but I also wanted to drop incoming SSH traffic from IP's I didn't trust. The solution is to get busy with iptables.
First, you need to find a list of all Chinese owned IP blocks. The best resource I've found for this is at http://www.okean.com/antispam/sinokorea.html. Once you have the Asian IP block list, you'll need to configure IP tables to DROP any incoming requests from these blocks. For convenience, I wrote a quick Perl script to do the work for me:
iptables-firewall.tar.gz (8K)
Inside of iptables-firewall.tar you'll find an access.list file and a firewall.pl Perl script. The access.list file is pre-configured to drop packets from all of the IP blocks at http://www.okean.com/antispam/sinokorea.html. However, you should jump to the bottom of access.list and add any trusted IP's (e.g., work and home) that you want to accept SSH traffic from. By default, any other incoming requests on port 22 from addresses you don't trust will be dropped. If you're using NAT, and your local subnet is on 192.168.00/16, then you should have a line like this in access.list:
INPUT -s 192.168.00/16 -p tcp --dport 22 -j ACCEPT
The last line in access.list denys incoming SSH traffic from all other addresses:
INPUT -p tcp --dport 22 -j DROP
Run ./firewall.pl --enable to enable the firewall with iptables. Run ./firewall.pl --disable to delete the iptable chains (disable the firewall). Once the firewall is enabled, try to SSH into your system from another untrusted location; you shouldn't be able to and your SSH login attempt will eventually timeout.
Once you have the correct set of iptable chains in place, you might also want to secure your Apache installation by hiding the Apache server version using the ServerTokens and ServerSignature directives.
Finally, if you notice a lot of bots and other junk pounding on your Apache server, you may want to consider a nice .htaccess file to take care of it. Put this .htaccess file in the DocumentRoot of your Apache installation:
SetEnvIf User-Agent ^-$ block=1
SetEnvIf User-Agent "^Mozilla\/4\.0 \(compatible\;\)$" block=1
SetEnvIfNoCase Referer "(hold-?em|poker|casino|hotel|loan") block=1
SetEnvIfNoCase Referer "(stockleaf|mortgage|payday|pingdom)" block=1
SetEnvIfNoCase Referer "(viagra|cialis|penis|diet|porn)" block=1
SetEnvIfNoCase User-Agent "(morfeus|gigabot|emailsearch|radian)" block=1
SetEnvIfNoCase User-Agent "(baidu|MiniRedir|SurveyBot|PMAFind)" block=1
SetEnvIfNoCase User-Agent "(java|panscient)" block=1
Order allow,deny
Allow from all
Deny from env=block
This particular .htaccess file will block requests with an empty user-agent string (used by a lot of Spam bots and proxies), and should reduce Referrer Spam in your Apache logs.
Enjoy.
Did you find this post helpful, or at least, interesting?