Denial of Service
We are continually bombarded with outside attempts to connect
to our systems, to break in.
It's mostly `ssh` attempts to login to well known userids
(e.g. "root") and try common passwords.
It sometimes causes serious performance degradation.
On Linux based systems,
a practical approach to handle a specific attack is to add
the offending IP address to /etc/hosts.deny.
One catch is that a range of addresses could be attacking.
Another catch is that choosing a simple prefix of the address
can block much more than is intended.
So, our procedure, when attacked from a range of addresses,
is to block at most from the ISP supporting the addresses.
The relevant address range can be determined using the `whois` command,
applied to various area servers.
E.g. given an address like 103.41.124.10 one can try:
% for server in \
> whois.apnic.net \
> whois.ripe.net \
> whois.afrinic.net \
> whois.arin.net \
> whois.lacnic.net \
> whois.nic.or.kr \
>; do
> whois -h $server 103.41.124.10 | egrep '^(OrgName|descr|CIDR|inetnum):'
>done
inetnum: 103.41.124.0 - 103.41.124.255
descr: HEETHAI LIMITED
inetnum: 103.0.0.0 - 103.255.255.255
descr: IPv4 address block not managed by the RIPE NCC
inetnum: 0.0.0.0 - 255.255.255.255
descr: The whole IPv4 address space
CIDR: 103.0.0.0/8
OrgName: Asia Pacific Network Information Centre
inetnum: 103.41.124.0 - 103.41.124.255
descr: HEETHAI LIMITED
inetnum: 103.41.124.0 - 103.41.124.255
descr: HEETHAI LIMITED
inetnum: 103.41.124.0 - 103.41.124.255
descr: HEETHAI LIMITED
to discover the answer (103.41.124.0/24).
Some whois servers will refer to the right server
if they don't know the answer.
Once the address range that contains the offending addresses is discovered,
the /etc/hosts.deny file can be updated.
We should keep it the same for all machines that allow `ssh` in,
i.e. the linux.cs and linux.student.cs systems.
`man hosts.deny` says:
- An expression of the form `n.n.n.n/m.m.m.m´ is interpreted as a `net/mask´ pair. An IPv4 host address is matched if `net´ is equal to the bitwise AND of the address and the `mask´. For example, the net/mask pattern `131.155.72.0/255.255.254.0´ matches every address in the range `131.155.72.0´ through `131.155.73.255´. `255.255.255.255´ is not a valid mask value, so a single host can be matched just by its IP.
- An expression of the form `n.n.n.n/mm' is interpreted as a `net/masklength' pair, where `mm' is the number of consecutive `1' bits in the netmask applied to the `n.n.n.n' address.
so a CIDR or netmask ought to make this practical.
Although a search finds some claims that only the netmask will work.
Note that a better approach to the problem is
Fail2ban.
However until we have that, we're stuck with the /etc/deny.hosts approach.