[NTLUG:Discuss] Killing Bad People
Daniel L. Shipman
daniel at srj.net
Tue Feb 5 13:45:42 CST 2002
Wanadoo.fr - VERY VERY Bad people - I just thought I'd share and ask for comments on what I'm doing here - I have had NIGHTMARES from wanadoo.fr FTP entry attempts - I have a firewall infront of my servers - but on the servers themselves I am running this little shell script:
#!/bin/sh
IPT="/sbin/iptables"
#Time to clean house
#Clear out any existing firewall rules, and any chains that might have
#been created
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
#Kill the bad people
$IPT -A INPUT -s 12.251.175.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 193.251.4.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 193.253.194.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 193.253.219.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 193.253.225.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 193.253.52.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 193.253.52.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 195.174.97.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 203.141.145.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 208.251.123.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 211.47.146.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 212.60.36.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 213.132.154.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 216.51.102.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.136.15.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.136.4.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.226.53.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.230.227.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 62.155.143.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 62.163.200.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 65.93.161.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 80.11.22.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 80.11.22.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 80.13.160.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 80.13.210.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 80.8.80.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 80.11.81.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 216.112.42.58 -d 0/0 -j DROP
$IPT -A INPUT -s 208.18.255.7 -d 0/0 -j DROP
$IPT -A INPUT -s wanadoo.fr -d 0/0 -j DROP
$IPT -A INPUT -s lan.ch -d 0/0 -j DROP
$IPT -A INPUT -s eastdil.com -d 0/0 -j DROP
$IPT -A INPUT -s sympatico.ca -d 0/0 -j DROP
$IPT -A INPUT -s krline.net -d 0/0 -j DROP
$IPT -A INPUT -s noos.fr -d 0/0 -j DROP
$IPT -A INPUT -s 213.123.135.117 -d 0/0 -j DROP
$IPT -A INPUT -s 213.123.135.117 -d 0/0 -j DROP
$IPT -A INPUT -s 212.198.120.55 -d 0/0 -j DROP
$IPT -A INPUT -s 212.195.10.139 -d 0/0 -j DROP
$IPT -A INPUT -s 217.136.35.57 -d 0/0 -j DROP
$IPT -A INPUT -s 217.230.226.126 -d 0/0 -j DROP
$IPT -A INPUT -s 213.96.11.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.128.56.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.136.32.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.83.96.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 80.11.97.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 212.98.68.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.230.189.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 80.135.16.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 62.108.11.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.128.35.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.128.27.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.128.73.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 212.83.85.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.225.197.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 64.217.144.145 -d 0/0 -j DROP
$IPT -A INPUT -s 65.67.100.126 -d 0/0 -j DROP
$IPT -A INPUT -s 217.128.243.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 80.13.155.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 80.13.155.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 145.254.63.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 217.1.113.0/24 -d 0/0 -j DROP
$IPT -A INPUT -s 80.11.100.0/24 -d 0/0 -j DROP
Then in /etc/hosts.deny
#The following section contains mostly FTP problem makers
ALL: .wanadoo.fr,\
.retevision.es,\
.wiwiss.fu-berlin.de,\
.ewetel.net,\
172.188.82.22,\
.nombres.ttd.es,\
131.204.203.45,\
134.184.28.169,\
.estpak.ee,\
.kuban.ru,\
.tin.it,\
.cybercable.tm.fr,\
.pixelhouse.de,\
212.199.28.108,\
62.98.228.73,\
213.237.24.20,\
213.97.98.62,\
213.82.103.67,\
212.199.187.214,\
.nykredit.dk,\
195.101.176.125,\
195.70.202.,\
192.118.6.32,\
ip87-226.adsl.wplus.ru,\
.o-tel-o.net,\
.dip.t-dialin.net,\
.evc.net,\
213.96.224.5,\
.home.com,\
.phoenix-t.navipath.net,\
.nyc.cccnetsys.com,\
.bezeqint.net,\
.chello.nl,\
.chello.fr,\
.cccnetsys.com,\
.quicknet.nl,\
.nordnet.fr,\
217.81.85.58,\
217.225.12.3,\
.linix.co.uk,\
.hombres.ttd.es,\
24.25.251.149,\
24.226.198.25,\
24.252.140.221,\
.sympatico.ca,\
.isis.de,\
.net.mx,\
.brutele.be,\
.skynet.be,\
.club-internet.fr,\
.reimari.net,\
.stuwo-steinweg.de,\
.superonlinecorporate.com,\
.adsl.hansenet.de,\
.worldonline.dk,\
.ipt.aol.com,\
.net24.it
Thanks,
Daniel
Webmaster for:
http://www.srj.net
http://www.hometownhospital.com
http://www.easyhealthcare.net
http://www.ngpa.org
http://www.cathedralofhope.com
http://www.iusarentals.com
*** CONFIDENTIALITY NOTICE *** Privileged/Confidential Information may be contained in this message and/or its attachments. This message and its attachments are intended only for use by the individual(s) listed as the recipient(s). If you are not one of the intended recipient(s), or responsible for delivery of the message to such person, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this message in error, please notify the sender by return email and destroy all copies of the email. Opinions, conclusions and other information in this message that do not relate to official company business shall be understood as neither given nor endorsed by the company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://ntlug.org/pipermail/discuss/attachments/20020205/bd4fac17/attachment.html
More information about the Discuss
mailing list