block ISP, by AS or hostname with parallels IP tables or?

[DJSteveB]

Hello,

I am trying to figure out the best method to block all traffic from orange.fr (and wanadoo)

When I asked for a list of their ips to add to the firewall, they said "AS3215"

I asked them if the list here: http://www.fixedorbit.com/cgi-bin/cgirange.exe?ASN=3215
indicates a complete list of all IP addys they assign users, and they never replied.

Is there a best method for blocking all traffic from hosts such as Host name: aputeaux-553-1-97-159.w92-151.abo.wanadoo.fr

My first through was to take each line of ip addys listed on that one site, and add them one by one into the server firewall thing - but that is going to take a long time to do one by one. If that's what needs to be done, I will do it. However I was hoping someone here could tell me if there is a better method to block their hostnames all at once, or if one line could be added that would block AS3215 - or what else may be best practice here.

my first post here, I hope this is in the right place - if not, sorry in advance, I did do some searches to see if this was answered and got lost about a dozen pages of results.

 

[Nikolay.]

This might help to make up your mind: http://serverfault.com/questions/48...ng-traffic-using-wildcard-subdomain-reference

So your best bet is to use IP address ranges.

 

[abdi]

You could also install CSF firewall, it has country based blocking. Ie, you can block the entire country by including FR in the block list ..

 

[DJSteveB]

Thank you for the additional information Nikolay.

I am still very new at many of these things, and especially parallels, so forgive me if my questions are total noob.

So it may be that it is best to use IP address ranges to block the orange.fr network from accessing our server. If that is the case, is there a better way to add this list of thousands of ip blocks to the parallels panel than the 6 or so clicks it takes for each addy range add that I have been doing?

I found that a couple of people have posted about bash methods (whatever that is, I do not yet know) for blocking TOR addys that change -
http://mikhailian.mova.org/node/194
http://www.brianhare.com/wordpress/2011/03/02/block-tor-exit-nodes-using-bash-script/

I had seen something a while back where you can put something in htacess on apache that will allow / deny based upon the user agent's network / hostname (is that the right term) - but I think that is not possible with parallels? and it is likely very inefficient to look up the ip and then hostname for every connection made to our server.

I would love to find an efficient way to add all the needs blocks to out plesk parellels thing to block the entire orange.fr / wanadoo network, and all tor exit nodes.

I'd also to know if there is a best resource for finding all of the IP ranges that orange.fr uses, as the one resource I posted in the first post in this thread seems legit, but I have no way to know how accurate / recent it is, and if this AS3215 thing changes frequently or not.

 

[DJSteveB]

You could also install CSF firewall, it has country based blocking. Ie, you can block the entire country by including FR in the block list ..

Thank you for this suggestion, I will look up this CSF firewall to see if it has other options as well. I had been thinking that I may end up needing to block the whole country of france in the short term just to stop this one troll from coming back again again! My host as a thing for doing so, but I think the orange / wanadoo network also extends to other countries. I am pretty sure a couple times I manually looked up and banned this troll that it said hostname resolved to a place in Africa, but it was wanadoo / orange.fr owned...

And I don't really want to block all of France, I hope the other ISPs there are more able to handle abuse complaints, unlike my several poor experiences with Orange. Although if it takes banning the whole country, I certainly will do that just to stop this one guy.

 

[Nikolay.]

Although if it takes banning the whole country, I certainly will do that just to stop this one guy.

Sounds too harsh. Don't feed trolls and they usually go away after a while. If you need to, introduce moderation for comments (or whatever you're dealing with). Or install some kind of spam protection. Banning entire country to keep out one guy is just disrespectful to your other clients or visitors.

OT: Plesk firewall doesn't provide a way to automate rule addition, but it is (theoretically) relatively easy to write a script that will add them directly to Plesk DB. Firewall rules are stored as simple serialized PHP arrays.

 

[abdi]

There are several ways you can skin a rat, that is if it's to skin a rat

QN: What is the problem / challenge you are facing that is causing you to want to block an entire network? If you can tell us in detail the exact problem you are facing, perhaps we can even give you a much more better solution.

 

[DJSteveB]

abdi - I have a troll user who comes to our chat system and posts a bunch of unwanted, and innaccurate sexual medical information. He has been doing this for over a year now. We have banned subnets of ips as usernames each time we find him. He has now moved to a tactic of logging in, posting his **** and changing rooms very quickly in order to avoid a moderator's ban. So now I have to pull logs, find his ip and manually add to the parrelless firewall each time.

I have written to and complained to orange.fr's abuse dept about 20 times.

The first couple of messages to them, they said they emailed and warned this user. Then he came back a month later, same ISP, same unwanted messages.

I went through the same processes or banning his IP in our script, banning his username, banning his ip range via parallels firewall. Send logs to orange.fr and complained again.

They sent me an email saying they warned their user not to continue.

I have been through this cycle with orange about 4 times now.

That ISP has a terrible abuse dept, and I intend to block the entire ISP from accessing our servers. I just need a current list of IPs to block and the best method for doing so.

I will do it by hand, one line at a time if I have to.. I was expecting that there would be a better method.

 

[DJSteveB]

Sounds too harsh. Don't feed trolls and they usually go away after a while. If you need to, introduce moderation for comments (or whatever you're dealing with). Or install some kind of spam protection. Banning entire country to keep out one guy is just disrespectful to your other clients or visitors.

I agree that banning the whole country is too harsh, but it would not be the first country that has been banned from our server either however. Morrocco is banned from our server due to the amount of malware attacks originating from there, and a lack of cooperative law enforcement and ISP enforcement issues...

OT: Plesk firewall doesn't provide a way to automate rule addition, but it is (theoretically) relatively easy to write a script that will add them directly to Plesk DB. Firewall rules are stored as simple serialized PHP arrays.

If someone can either write a script, or tell me if one of those TOR blocking scripts I posted about above are safe to use, I would gladly pay someone $20 for a modded script that will accomplish this. I am surprised this has not become a standard thing in parallels - certainly many other web sites will be finding themselves in need of similar solutions as things get worse around the internet world.

 

[abdi]

You could try this application firewall and Spam control tool:

http://www.spamtrawler.net/

 

[Faris Raouf]

A more complete solution might be to invest in ASL (www.atomicorp.com). It might be overkill in your case, but I strongly recommend it for any webserver. I don't want to speak for them, but since ASL includes rules as standard that prevent spam posts in forums, I would imagine that sexual words and medical words would be included. Why not contact them to explain your problem and see what happens?

I'm VERY disappointed with Orange France's response to you. Personally I would escalate this above the abuse department.

 

[DJSteveB]

You could try this application firewall and Spam control tool:

http://www.spamtrawler.net/

Looks interesting abdi, I will need to contact them to see if it only blocks http requests, or if it can above that level and block port 80 script access as well, (which is what I need in this situation) - fingers crossed that can work with this situation.

 

[DJSteveB]

A more complete solution might be to invest in ASL (www.atomicorp.com). It might be overkill in your case, but I strongly recommend it for any webserver. I don't want to speak for them, but since ASL includes rules as standard that prevent spam posts in forums, I would imagine that sexual words and medical words would be included. Why not contact them to explain your problem and see what happens?

I'm VERY disappointed with Orange France's response to you. Personally I would escalate this above the abuse department.

Thanks for the info on this - it looks very powerful, but a bit too expensive.

I too am VERY dissapointed in the responses from Orange.fr's abuse dept. When they did not escalate the issue to actually doing something about it, I wrote them and asked if they would provide me with the contact details for the law enforcement agency that would have authority over their customer and which agency I could contact that would have authority with them to pull records and investigate this person - they never responded. Then I wrote them asking for a list of IPs that allocate to users (about the 4th time requesting that) and they sent me the AS3215 or whatever.

So I wrote them back and lined to the one I put in the OP, and asked if that was an accurate list of IPs so I could block their network from being used to broadcast inaccurate medical advice on our site - and they never replied. Several messages back I sent them a link to our site's blog post where I posted that we blocked the orange network from our chat rooms - (unsuccessfully I find out, as the first list of IP blocks I found for them was obviously not the whole list) - and they have not been helpful in helping me to block their network from accessing our server.

They have not stopped their customer from repeatedly spamming our chat rooms over and over and over again - even though I have sent them proof of the same guy, month after month doing the same thing, all with different IPs from Orange / wanadoo - and all with similar, but varied usernames. They could certainly see the pattern, and look a their records to know for sure that one customer of theirs has been doing this over and over again, and know they their customer has not heeded any of the 'email warnings' they have sent.. yet they do not stop him, and do not make it easy for us to block him or their network.

 

[DJSteveB]

trwaler likely won't work..

Guess I am still looking for solutions, I wrote spamtrawler to ask if it would work to block traffic to port 8080 with our chat script, then I looked into the documentation, and I do not think there will be a way to integrate this with our chat system, as it needs some php type calls from files on the domain to work.. maybe they will tell me differently, but I don't think this is going to work for our situation.

So, can someone fork one of the scripts that are posted about above to block tor servers and block the orange.fr network?

So frustrated

 

[abdi]

If this guy is out there to frustrate you and it's an intentional move then still blocking the entire orange network is NOT a solution. Ie, we have now many proxy softwares on the market wherein you can surf as if you in another country with thousands of IPs readily available with them! (checkout hidemyass.com), so rather than focusing on closing the network off, I suggest you focus on content / package filtering solutions. A solution that will filter out or not allow certain keywords posted on any of your chats ...

Most firewalls are designed to kill / stop automated attacks! But human attacks are one of the hardest ..

 

[DJSteveB]

If this guy is out there to frustrate you and it's an intentional move then still blocking the entire orange network is NOT a solution. Ie, we have now many proxy softwares on the market wherein you can surf as if you in another country with thousands of IPs readily available with them! (checkout hidemyass.com), so rather than focusing on closing the network off, I suggest you focus on content / package filtering solutions. A solution that will filter out or not allow certain keywords posted on any of your chats ...

Most firewalls are designed to kill / stop automated attacks! But human attacks are one of the hardest ..

I do not think he out to frustrate me - I have had those issues with others and been down those roads.. this guy thinks he is doing the world a favor by telling them about STDs and condom usage, even though his medical advice is not accurate, I think he thinks he is doing a good thing. I am guessing he contracted on of the STIs he posts about and is hoping so save others from his former misdeeds or something.

Anyhow, yes I know there are proxies and this guy did you use once after we banned about 60,000 IPs from Orange / wanadoo - but I wrote to the ISPs that hosted those proxies, and they contacted the VPN services and had those accounts yanked. In other situations I have had proxy services ban our web server IPs so that people could not use those services to troll our system. So we work in whatever methods we can to only block what is needed, however when we find an ISP like orange that repeatedly does little to nothing to stop the illegal abuse, then we are forced to take more drastic measures.

If someone can find a way for us to block the organge / wanadoo network using parallels and the firewall, great. If someone can confirm that one of the tor blocking scripts posted above or good clean code to use, then I will see about having one of those modified to also block orange.. if someone could verify that the list of ips the site has for orange's as3215 linked to in the OP - then I will go through and add each line by line in the firewall ip tables to stop this guy if I have to. If none of that is feasible or possible to block this network, I will be forced to block the entire country of France using our web host's upper level firewall.

Still have not found an efficient way to handle this with the parellels / parellels firewall system.. maybe I need to post about this in the suggestions thread? It takes so many clicks to add a simple ip to the firewall and edit it and apply the configuration and all that- this should be more streamlined - and having a method for blocking hostnames or huge blocks of ips would be nice.

 

[rdanielli]

My prefered method when a firewall appliance is not available; is to to add a perminent route like the one below

route add -net Target/prefix gw 127.0.0.1

Add the same line to rc.local to ensure it survives reboots

 

[Sven L.]

If someone can find a way for us to block the organge / wanadoo network using parallels and the firewall, great. If someone can confirm that one of the tor blocking scripts posted above or good clean code to use, then I will see about having one of those modified to also block orange.. if someone could verify that the list of ips the site has for orange's as3215 linked to in the OP - then I will go through and add each line by line in the firewall ip tables to stop this guy if I have to. If none of that is feasible or possible to block this network, I will be forced to block the entire country of France using our web host's upper level firewall.

you have another 2 options

1) actually TALK to the guy and ask him politely to STOP?

2) contact his ISP through regular abuse channels and get him banned by his own ISP. and when he contracts a new ISP (which will take a month at least) then contact his new ISP too. in the end he'll either send his spam via pidgeons or smoke signals.

 

[Ehud]

Hi,

Yes, it's possible. Make sure you are legally entitled to use an mmdb ASN database.


1) Get a legal to ASN to IP use database. Check if the below connection is offered according to rights:
GitHub - P3TERX/GeoLite.mmdb: MaxMind's GeoIP2 GeoLite2 Country, City, and ASN databases

And place it in a directory as:

/usr/share/GeoIP/GeoLite2-ASN.mmdb

Before installing mod_maxminddb do the following:

2) Install the libmaxminddb library. This can be installed via PPA in Ubuntu.

# sudo add-apt-repository ppa:maxmind/ppa
# sudo apt update
# sudo apt install libmaxminddb0 libmaxminddb-dev mmdb-bin

3) Install the dev package for your apache version, in my case, this was done like below:

# sudo apt install apache2-dev

4) Installing MaxMind with Apache:

# curl -Lo /usr/share/GeoIP/mod_maxminddb-1.2.0.tar.gz https://github.com/maxmind/mod_maxminddb/releases/download/1.2.0/mod_maxminddb-1.2.0.tar.gz

# tar -xvzf /usr/share/GeoIP/mod_maxminddb-1.2.0.tar.gz -C ~/

# cd ~/mod_maxminddb-1.2.0

Note. ~ is short for the home directory.

After going to the directory the ModMaxminddb was downloaded to, activate it:

# ./configure

# sudo make install

5) Set .htaccess rule to block certain ASN (ISPs):

<IfModule mod_maxminddb.c>

MaxMindDBEnable On

MaxMindDBSetNotes On

MaxMindDBFile CITY_DB /usr/share/GeoIP/GeoLite2-City.mmdb

MaxMindDBFile ASN_DB /usr/share/GeoIP/GeoLite2-ASN.mmdb



MaxMindDBEnv COUNTRY_CODE CITY_DB/country/iso_code

MaxMindDBEnv CONTINENT_CODE CITY_DB/continent/code

MaxMindDBEnv MM_ASN ASN_DB/autonomous_system_number

MaxMindDBEnv MM_ASORG ASN_DB/autonomous_system_organization

MaxMindDBNetworkEnv ASN_DB ASN_DB_NETWORK

SetEnvIf MM_ASN ^(31708|9930|26496|55933|8570|16276|21501|12876|38731|41564|399471|51852) BlockAsn

Deny from env=BlockAsn

</IfModule>

 

[Ehud]

And also download the country database:

# curl -Lo /usr/share/GeoIP/GeoLite2-Country.mmdb https://git.io/GeoLite2-Country.mmdb