# Use iptables to block all non-US ssh traffic - Page 3

•  Subject
• Author
• Posted on

## Re: Use iptables to block all non-US ssh traffic

Moe Trin wrote:

And even if they are ASSIGNED to companies based in
Europe, Russia, and a few pieces of North Africa and the Middle East, that
is no guarantee that the addresses are DEPLOYED in those areas. A
multi-national company based in Europe may well get a set of addresses from
RIPE but USE the addresses in their USA sales offices. In which case, if
block all others and you used the RIPE range of addresses, you would be
blocking those RIPE assigned addresses deployed in the USA.  The reverse is
true for those address assigned by ARIN.
--

## Re: Use iptables to block all non-US ssh traffic

In the Usenet newsgroup comp.os.linux.security, in article

Quite so - there are a number of spammers based in BY, EE, RU, and UA
according to the registrations and such. Do a traceroute, and the
hosts are one or at most two hops (and maybe 0.04 msec) from a gateway
router in New York City.  But then, what about

[compton ~]$cut -d' ' -f1 < IP.ADDR/stats/APNIC | sort -u | column AF BT GU KH MN NC PF SG VN AP CH HK KI MO NF PG TH VU AS CK ID KR MP NP PH TO WS AU CN IN LA MU NR PK TV BD FJ IO LK MV NU PW TW BN GB JP MM MY NZ SB US [compton ~]$

Do you know your country codes?  Then explain CH GB and US.

You also get people with 'vanity domains' registered in places like
Norfolk Island (nf), Tonga (to) or Tuvalu (tv) whose hosts are just
windoze boxes hanging of their Comcast or SBC cable box.

[compton ~]$cut -d' ' -f1 < IP.ADDR/stats/ARIN | sort -u | column AG BB CH FI HU JP LU PR VI AI BE CZ FR IE KR MX SE AR BM DE GB IL KY NL SG AT BS DO GD IT LB NO TR AU CA ES HK JM LC PL US [compton ~]$

That's always good for a laugh.

Yeah, but unless "sales.washington.foo.bar.bz" actually DNSs to some
US assigned address, you _probably_ connect to them through some site in
their home country.  Example - my company is registered in New York state,
but if you traceroute to us, the last thing you see is BBN near San Jose,
California. I'm not there either - and the company has subnets on five
continents and twentynine countries. We recently had a little to-do with
a local pizza joint here (Arizona), who refused our connections, because
"you are in New York (or California)".  So we don't order pizza from his
web site for those late afternoon or evening munchies.  Imagine the poor
workers in France or Japan who also appear to be in New York (or California).

If you try to connect to our web site from Asia, you'll be routed to
points of presence there (and not using our address space). Send mail
from China to our company, and it ends up in an office in Shanghai
(where they can read Big8). Again those hosts are not in our primary
block, but are using 203.x.x.x addresses we get from some Chinese ISP.
The _hostnames_ are in our company zone, but packets from Asian customers
stay in Asia, rather than being routed via California. There is also this
bit about "time zones".  It's done by the magic of DNS.

Old guy

## Re: Use iptables to block all non-US ssh traffic

On Sat, 17 Sep 2005 21:19:54 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:

Just an interesting point for me...  So real world IP to location
database could be developed using something like this.  I guess
satellite hops put a wrinkle into this, but all the same...

Do you think the feds, or somebody equally funded, has already developed
such a database?

--
"Reality is merely an illusion, albeit a very persistent one."
Albert Einstein
http://www.bwo1.com

## Re: Use iptables to block all non-US ssh traffic

In the Usenet newsgroup comp.os.linux.security, in article

It's not widely enough implemented. I have three ISPs, and not one of
them includes location data in the names.  At work, we've also removed
location data from the names.  Thus, you are limited to the address of
the last backbone router, as they _tend_ to have location encoded in
the names - but this is FAR from common.

There is a database that claims to have location data - "visual traceroute"
or some such name. It's a bit better, but still far from a sure thing.

Old guy

## Re: Use iptables to block all non-US ssh traffic

(posting after having read what has now become a quite long thread)

Ok, fair enough.  So maybe I was asking from the wrong direction.
Perhaps what I should do it ask in the reverse.  Ie.
We want to block everyone except those ranges where the site is
*predominately* in the US. I suspect that the list is much shorter.

Keep in mind, that I'm not terrably concerned with accidentially
blocking someone legitimate.  After all, as others have said, the legit
person would then complain and I could then allow that site.

Keep in mind, this is ONLY for ssh (port 22) access.  Most of the other

--

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Chris Barnes                              AOL IM: CNBarnes
chris@txbarnes.com                      Yahoo IM: chrisnbarnes

You always have freedom of choice, but you never have freedom of
consequence.

## Re: Use iptables to block all non-US ssh traffic

There is a HUGE world of difference between "technically no list" and
the "reality of what we need".

Frankly, I wouldn't care a wit if some of the blocked addresses are used
in the US.  What matters is where *MY USERS* might be coming from.  That
is a finite number and even for "world traveler physics professors", the
list isn't all that exhaustive.

cox-internet.com
verizon.net

(and these only because they are the 2 high speed internent providers in
our little town)

The rest all going to be predominately either US .edu sites, or US gov
research facilities (fermi lab, etc).

If I end up blocking some local isp in Caper, WY, that's probably a good
thing.

--

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Chris Barnes                              AOL IM: CNBarnes
chris@txbarnes.com                      Yahoo IM: chrisnbarnes

You always have freedom of choice, but you never have freedom of
consequence.

## Re: Use iptables to block all non-US ssh traffic

Chris Barnes wrote:

Yes, there is no list. What there IS would be an HELL OF A LOT OF WORK TO
FLUSH OUT, PROGRAM IN and MAINTAIN with little to no ability to do what you
really want, which is to stop hackers.

Try to understand this: THE METHOD YOU ARE ASKING TO USE WOULD NOT STOP
HACKERS. Now I ask you, what is it that you REALLY want to do? Stop hackers
or install useless rules on your firewall? If the ultimate goal is to stop
hackers, the approach you are attempting is A LOT OF WORK with VERY LITTLE
if any ability to stop hackers. You would about as well if you just put in

Let's see, if I got it right the total number of IP address is something
like  4,294,967,296. If they were all subnetted out to be basicly class C

"Not exhaustive" could still mean tens of thousands of rules to be added to
your firewall. Is that what you REALLY want? I get the idea you don't
really understand what it is that you are asking.

Get it? It does not have to be "exhaustive" to be PROHIBITIVE.

Even if it is only a couple of hundred, is that what you really want? And
what MATTERS is where the HACKERS are coming from and how they get to you
system. Even with the rules you are thinking about, you are not stopping
them, so what's the point? You do all the work to put up security to stop
the hackers but it is such a sieve that it does not stop hackers, what's
the point?

Get it? Even if you put in a couple of hundred rules, it is so easy for a
hacker to get past them they are virtually USELESS.

Don't you get it? The lists are not accurate enough to be worth anything at
all, to get something that might be remotely useable would take an
inordinate mount of time. Once you DO get something (even though it is
basically still useless) the number of rules would be prohibitive just to
manage AND after all of this, it would in reality be a futile effort
because it would be so easy for a hacker to bypass the list.

research facilities can be com as well so using the .xxx designation is
virtually useless. And trust me, some of the best hackers come from .edu
sites.

Unfortunately there is no way you would know for sure WHAT you are blocking
using the "list". The possibility of blocking Casper is equal to the
possibility of blocking your most important customer. As I sated before,
the complaint may not come to YOU but to someone that can FIRE you. Even if
you block someone from hacking you from Europe, the chances are they are
not using THEIR computer in the first place. The chances are, the hacker is
using a system that they have already hacked. So, to get past your pitiful
rules, All they would need to do is hack something in the USA and poof, all

NOW IT IS TIME FOR YOU TO GET REAL. Do you want something SECURE and easy to
manage or do you want something that is a lot of work for little or no
security?

--

## Re: Use iptables to block all non-US ssh traffic

matt_left_coast wrote:
<snip>
Tons of stuff. About a 9.2 on the open-ended Shrieker Scale. You do realize
that all-caps means you're shouting, right? You may want to use The Great
Runes sparingly. Otherwise what you're trying to say gets lost in the way
you're saying it.

## Re: Use iptables to block all non-US ssh traffic

Greg Metcalfe wrote:

Oh, it's the net nanny! If what I said from the very first had been read,
EMPHASES would not have been needed.

Now, unless you can add something of value, move along and nag someone else.

--

## Re: Use iptables to block all non-US ssh traffic

matt_left_coast wrote:

Sorry, this is too good to pass....

Dude, ah, you spelled "EMPHASES" wrong.... it's "emphasis"

Even though you don't mean it, you really are a funny guy :)

## Re: Use iptables to block all non-US ssh traffic

base60 wrote:

Guess I was wrong in that post I just cancled, you did NOT get something
right. Emphases is the PLURAL of emphasis.

From "The Collaborative International Dictionary of English":

emphasis \em"pha*sis\ ([e^]m"f[.a]*s[i^]s), n.; pl. Emphases <----------
([e^]m"f[.a]*s[=e]z). [L., fr. Gr. 'emfasis significance,
force of expression, fr. 'emfainein to show in, indicate;
'en in + fai`nein to show. See In, and Phase.]

From the "Merriam-Webster Online" dictionary

Main Entry: em·pha·sis
Pronunciation: 'em(p)-f&-s&s
Function: noun
Inflected Form(s): plural em·pha·ses  /-"sEz/ <--------------------
Etymology: Latin, from Greek, exposition, emphasis, from emphainein to
indicate, from en- + phainein to show -- more at FANCY
1 a : force or intensity of expression that gives impressiveness or
importance to something b : a particular prominence given in reading or
speaking to one or more words or syllables

Since I did use more than one emphasis, the use of the plural form emphases
is indeed correct and you, as usual and expected, are wrong, AGAIN.

Bwahahahahahahahahah, as hard as you try, I would think that even YOU would
realize that you are always WRONG. Bet you think you get "French Benefits"
at work, right? Emphases intended. bwahahahahah.

--

## Re: Use iptables to block all non-US ssh traffic

matt_left_coast wrote:

Can't you children take this off line?

--
----------------
Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com

## Re: Use iptables to block all non-US ssh traffic

... and you repost the whole exchange ... brilliant.

## Re: Use iptables to block all non-US ssh traffic

Barton L. Phillips wrote:

Wow, repost the whole thing to add absolutely no substance. The simple
matter is, you don't have to read it.

--

LOL :-)

## Re: Use iptables to block all non-US ssh traffic

Hardly.  I block them all, then open up the individual ranges when
someone complains.  The rest I don't give a squat about.

YOU really don't get it.  I'm not a retail business.  My "customers" are
professors & students HERE.  Of those, maybe half a dozen use SSH when
they travel.

In other words, it is TRIVIAL to not block my "customers".

I think I'll do it by ignoring you and instead listening to someone
else.

--

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Chris Barnes                              AOL IM: CNBarnes
chris@txbarnes.com                      Yahoo IM: chrisnbarnes

You always have freedom of choice, but you never have freedom of
consequence.

## Re: Use iptables to block all non-US ssh traffic

Chris Barnes wrote:

Then why bother with the list to begin with? Nuff said.

--

## Re: Use iptables to block all non-US ssh traffic

Chris Barnes wrote:

So block everybody, talk to your half-dozen "customers" to see where they're
coming from, and explictly allow them in.  Trivial solution.

Doug

## Re: Use iptables to block all non-US ssh traffic

Douglas O'Neal wrote:

Except they are travailing and you would be constantly unblocking ports for
them. This would still be easier than to try to figure out how to write
rules for to allow only the United States. Of course there are simple ways
to make it so these half dozen can go anywhere in the world and they can
open the port they need (in a secure way) automaticaly. I have suggested
one such solution.

--

## Re: Use iptables to block all non-US ssh traffic

Chris Barnes wrote:

If you are only going to unblock ranges when somebody complains, why are you
asking for the lists to begin with????? I listed the 16+ Million possible
networks as an example of the SCOPE you are trying to deal with. Of course
you would not have to write that many rules. Still, lets say only 10% of
the total networks are in the USA, that would still be ONE MILLION SIX
HUNDRED THOUSAND networks. Then lets say that because they can be grouped
into ranges so you only need to write rules totaling about 10% of the
addresses, that would STILL be one HUNDRED SIXTY THOUSAND RULES you would
have to write.

What you are asking to do IS NOT TRIVIAL.

Yes, *I* do, it is you that is not get it.

If it is only a couple of dozen users, why are you wanting to do the amount
of work it would take to unblock all the USA address. There are other
methods that are far more secure and far easier to manage that what you are

Here is a good one that I have suggested OVER and OVER:

PORT KNOCKING

http://www.portknocking.org /

It would be PERFECT for what you need. The half dozen would be able to
travel ANYWHERE in the world and connect to your site without worrying
about lists of USA addresses AND YOU WOULD HAVE A MORE SECURE NETWORK FOR
LESS.

Then why aren't you doing it????????????? Why are you still asking for
"lists"? You already have been given the best that is out there, why are

It would be trivial IF you knew WHERE they were going to be. And WHEN. If it
were so "TRIVIAL", again I would have to ask, WHY ALL THE WORK WITH THE
LIST?????? You simply are NOT MAKING ANY SENSE. To get it so using the list
is trivial, you would need to get it to the point were they would not offer
any SECURITY. Isn't security the reason you are doing this in the first
place? The lists you are asking for would not be a trivial task so you must

Who??????? What LISTS have they given you??? I have seen what has been
recommended so far. Go ahead, knock yourself out. It will not be "Trivial"
It WILL NOT SECURE YOUR NETWORK. And again I have to ask you:

Why do you want to do this if you are not getting any real security benefit
from it????? It is clear that what is available is NOT good enough for you
or you would still not be here.

--