US IP addresses

Started by dlots, November 24, 2015, 08:21:05 AM

Previous topic - Next topic

dlots

I am trying to run an asterisk server and i keep getting people trying to authenticate to it from Germany, so since I don't know anyone outside of the US I was thinking that an ACL that allows only people in the US though would be quite nice.  Anyone know of such an ACL? or where to get that info?

routerdork

They usually deal with bogons but my first thought would be Team Cymru.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

deanwebb

Although I'm not a fan of geolocation as a means to block baddies, it has its uses, particularly for small firms that serve a limited area. Keep in mind that this is probably something you want to run on a bulk traffic router, not a firewall. Have the bulk router drop packets that you know you don't want so that the firewall can deal with the question marks.

https://www.countryipblocks.net/country_selection.php

I'd do an "allow" on the US ranges rather than a "deny" on non-US ranges. Shorter ACL that way. Still, it's a beast...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

I think the better way would be to route unwanted return traffic to Null0,  makes the ACL check less CPU intensive.
:professorcat:

My Moral Fibers have been cut.

dlots

Thank you for the link!!

I love the idea of the null route idea!

dlots

Wow, the US is ~55k lines, gonna need some clean up I think, not sure it's worth it

deanwebb

Quote from: dlots on November 24, 2015, 12:36:42 PM
Wow, the US is ~55k lines, gonna need some clean up I think, not sure it's worth it

That null route is lookin' really good now, huh?

:tmyk:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

routerdork

This looks to be a bit automated if taking the tedious path.
https://www.countryipblocks.net/country_selection.php

Haha I didn't pay enough attention to the earlier link. Ooops.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

icecream-guy

:professorcat:

My Moral Fibers have been cut.

dlots

Yeah, so far my main issue has been with
85.25.248.68

These are in the US, so I should be able to do a deny 85.0.0.0/10 and stop some of it and not effect myself at all.

85.115.40.0 0.0.7.255
85.158.48.0 0.0.1.255
85.238.144.0 0.0.3.255

icecream-guy

Quote from: dlots on November 24, 2015, 03:10:39 PM
Yeah, so far my main issue has been with
85.25.248.68

These are in the US, so I should be able to do a deny 85.0.0.0/10 and stop some of it and not effect myself at all.

85.115.40.0 0.0.7.255
85.158.48.0 0.0.1.255
85.238.144.0 0.0.3.255

why not just block that offender individually.
:professorcat:

My Moral Fibers have been cut.

dlots

I assume he probably doesn't have a static IP address so it will change eventually, so I need to block anything his ISP might give him.

deanwebb

Could always re-invent the IPS and block based on the traffic type/signature. Every now and again, blocking by IP is going to bite you in the backside.

"Say, how come I can get email from this client on my Gmail, but not on the company system?"
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

dlots

The issue is that he's trying to register a phone with my Asterisk box, which I need to be able to do or having it's pointless, I just want me to be able to do it though, and not people in Germany.  This is a box sitting on the cloud so I can't really stick it behind an IPS/Firewall.  I only have the Linux Firewall.

deanwebb

Sounds like you get to play IP address whack-a-mole, then. :problem?:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.