Fail2ban
fail2ban 自定義行動永久禁止來自中國的 IP
當 IP 地址被禁止時,我如何檢查被禁止的 IP 地址是否來自中國。如果是,則將其添加到永久禁止列表中。
我找到了這個很好的指南,它將被禁止的 IP 寫入文件。
原因:我每天都會收到來自中國的大量暴力攻擊,幸運的是,fail2ban 正在幫助限制這種攻擊,儘管它們似乎變得更糟而且他們只是在更改他們的 IP 地址。
或者如果有一個維護已知黑客 IP 地址的數據庫會更好。
範例 1
Hi, The IP 60.169.78.77 has just been banned by Fail2Ban after 4 attempts against vsftpd. Here are more information about 60.169.78.77: % [whois.apnic.net node-7] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 60.166.0.0 - 60.175.255.255 netname: CHINANET-AH descr: CHINANET anhui province network descr: China Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088 country: CN admin-c: CH93-AP tech-c: JW89-AP mnt-by: APNIC-HM mnt-routes: MAINT-CHINANET-AH mnt-lower: MAINT-CHINANET-AH status: ALLOCATED PORTABLE changed: hm-changed@apnic.net 20040721 source: APNIC person: Chinanet Hostmaster nic-hdl: CH93-AP e-mail: anti-spam@ns.chinanet.cn.net address: No.31 ,jingrong street,beijing address: 100032 phone: +86-10-58501724 fax-no: +86-10-58501724 country: CN changed: dingsy@cndata.com 20070416 mnt-by: MAINT-CHINANET source: APNIC person: Jinneng Wang address: 17/F, Postal Building No.120 Changjiang address: Middle Road, Hefei, Anhui, China country: CN phone: +86-551-2659073 fax-no: +86-551-2659287 e-mail: wang@mail.hf.ah.cninfo.net nic-hdl: JW89-AP mnt-by: MAINT-NEW changed: wang@mail.hf.ah.cninfo.net 19990818 source: APNIC Regards, Fail2Ban範例 2
Hi, The IP 60.169.78.81 has just been banned by Fail2Ban after 4 attempts against vsftpd. Here are more information about 60.169.78.81: % [whois.apnic.net node-6] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 60.166.0.0 - 60.175.255.255 netname: CHINANET-AH descr: CHINANET anhui province network descr: China Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088 country: CN admin-c: CH93-AP tech-c: JW89-AP mnt-by: APNIC-HM mnt-routes: MAINT-CHINANET-AH mnt-lower: MAINT-CHINANET-AH status: ALLOCATED PORTABLE changed: hm-changed@apnic.net 20040721 source: APNIC person: Chinanet Hostmaster nic-hdl: CH93-AP e-mail: anti-spam@ns.chinanet.cn.net address: No.31 ,jingrong street,beijing address: 100032 phone: +86-10-58501724 fax-no: +86-10-58501724 country: CN changed: dingsy@cndata.com 20070416 mnt-by: MAINT-CHINANET source: APNIC person: Jinneng Wang address: 17/F, Postal Building No.120 Changjiang address: Middle Road, Hefei, Anhui, China country: CN phone: +86-551-2659073 fax-no: +86-551-2659287 e-mail: wang@mail.hf.ah.cninfo.net nic-hdl: JW89-AP mnt-by: MAINT-NEW changed: wang@mail.hf.ah.cninfo.net 19990818 source: APNIC Regards, Fail2Ban範例 3
Hi, The IP 222.133.244.99 has just been banned by Fail2Ban after 4 attempts against vsftpd. Here are more information about 222.133.244.99: % [whois.apnic.net node-6] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 222.133.244.96 - 222.133.244.127 netname: LCZFFHQ country: CN descr: liaochenggovermentfanghuoqiang admin-c: DS95-AP tech-c: DS95-AP status: ASSIGNED NON-PORTABLE changed: ip@sdinfo.net 20060122 mnt-by: MAINT-CNCGROUP-SD source: APNIC route: 222.132.0.0/14 descr: CNC Group CHINA169 Shandong Province Network country: CN origin: AS4837 mnt-by: MAINT-CNCGROUP-RR changed: abuse@cnc-noc.net 20060118 source: APNIC person: Data Communication Bureau Shandong nic-hdl: DS95-AP e-mail: ip@sdinfo.net address: No.77 Jingsan Road,Jinan,Shandong,P.R.China phone: +86-531-6052611 fax-no: +86-531-6052414 country: CN changed: ip@sdinfo.net 20050330 mnt-by: MAINT-CNCGROUP-SD source: APNIC Regards, Fail2Ban
我建議不要使用 Whois,而是使用可用的 GeoIP 數據庫,例如http://www.maxmind.com/download/geoip/database/
大多數程式語言(如 PHP、Python、Perl 等)都有綁定來輕鬆解析這些格式。
“黑客 IP”數據庫在今天已經沒有任何意義了,尤其是因為:
- IPv4 IP 迅速更換所有者
- 由於廣泛的殭屍網路,IP 的所有權和使用不明確
- 採用 IPv6(終於!)使第一個問題變得更糟,保持 2^128 個地址的數據庫幾乎是不可能的(即使它可能很稀疏)