Savannah W-ITS

GEO Blocking network access – blocking specific IP blocks (GEO-blocking – do you really need those connections from Asia?)

CAVEAT: The flow of packets through your system is fairly complex – I am limiting this discussion and I encourage you to RTM as well as the tutorial referenced in below…

There are a number of approaches to your Internet connected server blocking network access by country and some of them are:

• at the firewall level,
• at the server (network service process, i.e. Apache *.conf or .htaccess files) level, and
• at the application (i.e. within your code like Wordpress SPAM filters) level.

This post will focus on using iptables and touch on using a web application firewall (WAF) like mod_security for Apache.

NOTE: the approach taken in this post is to block ALL access – it is also possible block selected access as well as the inverse, i.e. only allow specific/selected access like http connections (port 80 is open.)

A few comments

In previous  days it was common for OS vendors to include network and server security features but to deliver new products with all network access OPEN; thankfully, most current OS distributions are delivered with network services locked down.  Sadly, the really bad news is that the level of knowledge and skill sets for managing servers and network services is being replaced with generic management tools so it is becoming more likely that programmers/designers/others without real experience in configuring and managing network services at the server level are bringing systems online; new systems are supposed to be ready to go. We may not know how the server was built, who built it, when it was built, what the patch-level is, but it has to be ok, right – since we can just download/install/use it?

As we move network services into the cloud and as virtual machines proliferate it becomes more likely that new levels of network/server/machine abuse will also proliferate.  Soooo, what can you do to reduce the chance of network/server abuse/hacking?  Blocking access from known bad guys might be one component of your overall security posture (you do have a security plan/strategy, right?)

Suggested Steps

1. identify your tool of choice – iptables in this instance
2. build your list of bad guys OR your list of IPs to block
3. decide whether to LOG, DROP or LOG & DROP connections
4. use a control file (list of IPs to block) and a script to add the rules
5. review your logs

In this case I will build a new filter chain called Block_ALL.  I will append new IPs to the chain and the chain will be connected to input chain.   What about the output and forward chains? [The flow of packets through your system is fairly complex - I am limiting this discussion and I encourage you to RTM as well as the tutorial referenced  below...]

A sample script for blocking an entire sub-net:

#!/bin/bash
####
set -x
#### rule-set may vary if you have more than one NIC ###
ETH_WORLD=eth3  ### my NIC connected to 'the world'
### i.e. traffic to/from the Internet
###
###
### create a new chain called 'Block_ALL'
iptables -N Block_ALL
###
############
### Sample IP blocks from APNIC (Asia) IP space (2009)
#iptables -A Block_ALL -s 58.0.0.0/58.255.255.255 -j DROP
### The IP block above would DROP connections from: Afghanistan, Australia,
#- Bangladesh, China, Hong Kong, India, Indonesia, Japan,Malaysia,
#- New Zealand, Pakistan, Philippines, Republic of Korea, Singapore, Taiwan,
#- Thailand, and Vietnam (based on relatively current 2009 IP info...)
###
#iptables -A Block_ALL -s 221.166.0.0/221.166.255.255 -j DROP
### The IP block above affects connections from Hong Kong
############
### now we use '-A' to APPEND rules to the chain Block_ALL
### now two entries PER IP Range/Address to log & block
### the section below could be enhanced with a loop that sets
### the values of START & END blocks; of course you can also
### manually create a list as shown in the sample above
IP_START_BLOCK=58.0.0.0
IP_END_BLOCK=58.255.255.255
RANGE=${IP_START_BLOCK}/${IP_END_BLOCK}
iptables -A Block_ALL -s ${RANGE} -i ${ETH_WORLD} -j LOG
iptables -A Block_ALL -s ${RANGE} -i ${ETH_WORLD} -j DROP
###
iptables -A Block_ALL -j RETURN
###
##########
### Insert the rules above to INPUT chain
iptables -I INPUT -j Block_ALL

When I save the above as ‘block-all.txt’ I run it I see:

bash block-all.txt
+ ETH_WORLD=eth3
+ iptables -N Block_ALL
+ IP_START_BLOCK=58.0.0.0
+ IP_END_BLOCK=58.255.255.255
+ RANGE=58.0.0.0/58.255.255.255
+ iptables -A Block_ALL -s 58.0.0.0/58.255.255.255 -i eth3 -j LOG
+ iptables -A Block_ALL -s 58.0.0.0/58.255.255.255 -i eth3 -j DROP
+ iptables -A Block_ALL -j RETURN
+ iptables -I INPUT -j Block_ALL

Now if I review the new Block_ALL chain I see:

iptables -nL Block_ALL
##################################################################################################################
# Chain Block_ALL (1 references)                                                                                  #
#  pkts bytes target     prot opt in     out     source               destination                                 #
#     0     0 LOG        all  --  eth3   *       58.0.0.0/58.255.255.255  0.0.0.0/0           LOG flags 0 level 4 #
#     0     0 DROP       all  --  eth3   *       58.0.0.0/58.255.255.255  0.0.0.0/0                               #
#   437  131K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                   #
###################################################################################################################

You can build a list of IP addresses/Ranges to block based on:

1. a review of public IP space information, i.e. from IANA.ORG
2. a review of ‘bad activity‘ on your server (Apache or other logs)
3. any other source – that you trust…

Do you have to block the entire IP Range?

No – you can block a sub-net (i.e. 221.123.22.0 – 221.123.22.255):

IP_START_BLOCK=221.123.22.0
IP_END_BLOCK=221.123.22.255

Or block a single IP address:

IP_START_BLOCK=221.123.22.123
IP_END_BLOCK=221.123.22.123

What about Mod_Security IP Blocking?

You create rules to block an IP or an IP Range – this requires editing configuration files unless you use custom or third party tools.  The rules are simple once you have configured mod_security behaviours (example for version 2.x of mod_security) – to block a singe IP:

SecRule REMOTE_ADDR xx\.xx\.xx\.xx

where you replace the ‘xx’ with IP numbers.  To block a range add a MASK to the rule:

SecRule REMOTE_ADDR xx\.xx\.xx\.0/24 
SecRule REMOTE_ADDR 221\.123\.22\.0/24

BTW: Another option for Apache traffic blocking is to mod_security AND use mod_geoip.  This may be somewhat simpler since it only involves installing the modules and making configuration changes in your Apache installation(s).  The latest version of mod_security also provides ‘hooks’ for using mod_geoip so you could build rules using country designations and not worry with IP addresses – as stated below, do your own research to confirm that the data you use is and remains accurate…

After a year of log reviews I only block ~20+ IP sub-nets (~6000 IPs) along with ~2500 uniq IPs.

Maintenance/Downsides to Geo-IP Blocking?

• Yes – things can,change -  you have to re-validate/update your rule sets periodically…
• You can also have false-positives (i.e. you enter in-correct ranges and block desirable traffic)
• In my case I use auto-magic blocking based on network traffic analysis (frequent but simple review of logs for malicious/suspicious activity)
• For production environments I encourage folks to use a REAL FIREWALL (i.e. dedicated hardware) along defense-in-depth posture (DID) with a host-based-firewall (i.e. iptables rule sets on your servers) – and yes, I would also encourage using similar Geo-IP blocking in  both cases…

• a server firewall is only one level of protection – are you protecting the rest of your system(s)?
• don’t use your production system to experiment with firewalls – things will break.
• don’t use the information from this (or any other web resource) as GOSPEL – confirm everything on your own systems
• at some point you need to read THE iptables tutorial tome written by Oskar Andreasson (several hundred pages including sample scripts – read the ‘chunky html’ version when online or download and install it on your system…)
• your mileage will vary and it is quite possible that I have made mistakes so CAVEAT EMPTOR!

Related posts:

1. Linux firewall – iptables 101b Part 101b:  Some example rules for your Linux Firewall Creating...
2. Linux firewall – iptables 101a Part 101a: Where should you start with a Linux firewall?...
3. Apache – mod_security – web application firewall ModSecurity is a web application firewall (WAF) for the Apache...
4. Apache, mod_security & GEO-IP I previously posted about using the mod_geoip Apache module to...
5. It happened to Google – are you next? Well, it happened to Google (and a number of other...