US IP addresses

dlots · November 24, 2015, 08:21:05 AM

I am trying to run an asterisk server and i keep getting people trying to authenticate to it from Germany, so since I don't know anyone outside of the US I was thinking that an ACL that allows only people in the US though would be quite nice. Anyone know of such an ACL? or where to get that info?

routerdork · November 24, 2015, 08:48:40 AM

They usually deal with bogons but my first thought would be Team Cymru.

deanwebb · November 24, 2015, 09:21:54 AM

Although I'm not a fan of geolocation as a means to block baddies, it has its uses, particularly for small firms that serve a limited area. Keep in mind that this is probably something you want to run on a bulk traffic router, not a firewall. Have the bulk router drop packets that you know you don't want so that the firewall can deal with the question marks.

https://www.countryipblocks.net/country_selection.php

I'd do an "allow" on the US ranges rather than a "deny" on non-US ranges. Shorter ACL that way. Still, it's a beast...

icecream-guy · November 24, 2015, 11:17:28 AM

I think the better way would be to route unwanted return traffic to Null0, makes the ACL check less CPU intensive.

dlots · November 24, 2015, 12:09:26 PM

Thank you for the link!!

I love the idea of the null route idea!

dlots · November 24, 2015, 12:36:42 PM

Wow, the US is ~55k lines, gonna need some clean up I think, not sure it's worth it

deanwebb · November 24, 2015, 01:18:25 PM

Quote from: dlots on November 24, 2015, 12:36:42 PM
Wow, the US is ~55k lines, gonna need some clean up I think, not sure it's worth it

That null route is lookin' really good now, huh?

routerdork · November 24, 2015, 02:15:42 PM

This looks to be a bit automated if taking the tedious path.
https://www.countryipblocks.net/country_selection.php

Haha I didn't pay enough attention to the earlier link. Ooops.

icecream-guy · November 24, 2015, 02:50:44 PM

Germany ACL

dlots · November 24, 2015, 03:10:39 PM

Yeah, so far my main issue has been with
85.25.248.68

These are in the US, so I should be able to do a deny 85.0.0.0/10 and stop some of it and not effect myself at all.

85.115.40.0 0.0.7.255
85.158.48.0 0.0.1.255
85.238.144.0 0.0.3.255

icecream-guy · November 25, 2015, 07:02:35 AM

Quote from: dlots on November 24, 2015, 03:10:39 PM
Yeah, so far my main issue has been with
85.25.248.68

These are in the US, so I should be able to do a deny 85.0.0.0/10 and stop some of it and not effect myself at all.

85.115.40.0 0.0.7.255
85.158.48.0 0.0.1.255
85.238.144.0 0.0.3.255

why not just block that offender individually.

dlots · November 25, 2015, 07:43:15 AM

I assume he probably doesn't have a static IP address so it will change eventually, so I need to block anything his ISP might give him.

deanwebb · November 25, 2015, 08:14:45 AM

Could always re-invent the IPS and block based on the traffic type/signature. Every now and again, blocking by IP is going to bite you in the backside.

"Say, how come I can get email from this client on my Gmail, but not on the company system?"

dlots · November 25, 2015, 08:50:18 AM

The issue is that he's trying to register a phone with my Asterisk box, which I need to be able to do or having it's pointless, I just want me to be able to do it though, and not people in Germany. This is a box sitting on the cloud so I can't really stick it behind an IPS/Firewall. I only have the Linux Firewall.

deanwebb · November 25, 2015, 12:57:04 PM

Sounds like you get to play IP address whack-a-mole, then.