Over the years, I have found that most spam traffic comes from outside the United States. Our stores do not ship to international destinations, therefore, we are not interested in visits from anyone outside the US. Since we don't care about traffic from outside the US, we have made the decision to block access to our servers from all network blocks that are owned by foreign countries.
Here is a list of IP blocks that can safely be blocked from accessing your server(s). This list is not all-inclusive, but includes many of the "Problem countries" including China, Turkey, Romania, Denmark, Russia, etc.
I use the linux program IPTables (/sbin/iptables) to block these network blocks. It's as simple as copying the following IP addresses to a file on your server (I call mine 'iptables.rules' and running a short 'for' loop to read in all the entries. Once you have read them in, you can save them to your iptables configuration (on redhat-ish systems) by using the command iptables-save then run the command 'chkconfig iptables on' to make it so that your new iptables config will start up the next time your server is booted (and every time, thereafter).
More information about iptables can be found at the following link:
IPTables tutorial - How to use iptables
Run this loop to read in all the IPs below into your iptables configuration:
for line in `grep -v N iptables.rules`; do /sbin/iptables -A INPUT -s $line -j DROP; done
N Filename iptables.rules
N Russia .ru
89.0.0.0/8
N RIPE.NET (Europe, the Middle East and parts of Central Asia)
62.0.0.0/8
77.0.0.0/8
78.0.0.0/8
79.0.0.0/8
80.0.0.0/8
81.0.0.0/8
82.0.0.0/8
83.0.0.0/8
84.0.0.0/8
85.0.0.0/8
86.0.0.0/8
87.0.0.0/8
88.0.0.0/8
89.0.0.0/8
90.0.0.0/8
91.0.0.0/8
193.0.0.0/8
194.0.0.0/8
195.0.0.0/8
212.0.0.0/8
213.0.0.0/8
217.0.0.0/8
N APNIC (Asian Pacific Network Information Center)
58.0.0.0/8
59.0.0.0/8
60.0.0.0/8
61.0.0.0/8
202.0.0.0/8
203.0.0.0/8
210.0.0.0/8
211.0.0.0/8
218.0.0.0/8
219.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8
116.0.0.0/8
117.0.0.0/8
118.0.0.0/8
119.0.0.0/8
120.0.0.0/8
121.0.0.0/8
122.0.0.0/8
123.0.0.0/8
124.0.0.0/8
125.0.0.0/8
126.0.0.0/8
N End APNIC Addresses
N LACNIC (Latin American and Caribbean Network Information Center)
189.0.0.0/8
190.0.0.0/8
200.0.0.0/8
201.0.0.0/8
N End LACNIC
N Add .EU here?
N duesentrieb.kunst.uni-frankfurt.de
141.0.0.0/8
N end .EU
88.0.0.0/8
85.0.0.0/8
N Specific problem IP addresses
66.141.138.127
70.243.229.163
201.17.245.162
67.98.223.31
72.29.68.8
251.201.252.130
66.180.84.58
Additionally, here is a link to all currently assigned IPv4 IP blocks throughout the world, as promulgated by IANA (Internet Assigned Numbers Authority).
http://www.iana.org/assignments/ipv4-address-space
There is another way to block IPs using .htaccess on your apache webserver. I have to do some digging to get that worked out and I plan to post more info about that at a later date.
To use the IPTables method, you must have root access on your server... a Virtual Private Server (VPS) or a dedicated server. The great thing about using IPTables instead of .htaccess is that IPTables blocks access to all of your server processes...mysql, sendmail (smtp), apache (http), SSH, etc. Using the .htaccess method only blocks access to your http server and leaves the rest open to attack.
Please post any questions or comments that you have and I'll try to answer them.
Good Luck!
Blocking international network traffic to your server
-
allingeneral
- Site Admin
- Posts: 1238
- Joined: Mon Mar 06, 2006 8:39 pm
- Location: Virginia
- Contact:
Blocking international network traffic to your server
--
Rick
The only way you'll ever catch fish is to Go Fishing Forum (.net)!!
Rick
The only way you'll ever catch fish is to Go Fishing Forum (.net)!!
-
allingeneral
- Site Admin
- Posts: 1238
- Joined: Mon Mar 06, 2006 8:39 pm
- Location: Virginia
- Contact:
Re: Blocking international network traffic to your server
Here is the full list of IANA assigned IPV4 IP Address Space:
IPv4 Global Unicast Address Assignments
IPv4 Global Unicast Address Assignments
(last updated 2008-05-27)
The allocation of Internet Protocol version 4 (IPv4) address space to various registries is listed
here. Originally, all the IPv4 address spaces was managed directly by the IANA. Later parts of the
address space were allocated to various other registries to manage for particular purposes or
regional areas of the world. RFC 1466 [RFC1466] documents most of these allocations.
Prefix Designation Date Whois Status [1] Note
----- ------ ---- ----- ---------- ----
000/8 IANA - Local Identification 1981-09 RESERVED [2]
001/8 IANA UNALLOCATED
002/8 IANA UNALLOCATED
003/8 General Electric Company 1994-05 LEGACY
004/8 Level 3 Communications, Inc. 1992-12 LEGACY
005/8 IANA UNALLOCATED
006/8 Army Information Systems Center 1994-02 LEGACY
007/8 Administered by ARIN 1995-04 whois.arin.net LEGACY
008/8 Level 3 Communications, Inc. 1992-12 LEGACY
009/8 IBM 1992-08 LEGACY
010/8 IANA - Private Use 1995-06 RESERVED [3]
011/8 DoD Intel Information Systems 1993-05 LEGACY
012/8 AT&T Bell Laboratories 1995-06 LEGACY
013/8 Xerox Corporation 1991-09 LEGACY
014/8 IANA UNALLOCATED [4]
015/8 Hewlett-Packard Company 1994-07 LEGACY
016/8 Digital Equipment Corporation 1994-11 LEGACY
017/8 Apple Computer Inc. 1992-07 LEGACY
018/8 MIT 1994-01 LEGACY
019/8 Ford Motor Company 1995-05 LEGACY
020/8 Computer Sciences Corporation 1994-10 LEGACY
021/8 DDN-RVN 1991-07 LEGACY
022/8 Defense Information Systems Agency 1993-05 LEGACY
023/8 IANA UNALLOCATED
024/8 ARIN 2001-05 whois.arin.net ALLOCATED
025/8 UK Ministry of Defence 1995-01 LEGACY
026/8 Defense Information Systems Agency 1995-05 LEGACY
027/8 IANA UNALLOCATED
028/8 DSI-North 1992-07 LEGACY
029/8 Defense Information Systems Agency 1991-07 LEGACY
030/8 Defense Information Systems Agency 1991-07 LEGACY
031/8 IANA UNALLOCATED
032/8 AT&T Global Network Services 1994-06 LEGACY
033/8 DLA Systems Automation Center 1991-01 LEGACY
034/8 Halliburton Company 1993-03 LEGACY
035/8 MERIT Computer Network 1994-04 LEGACY
036/8 IANA UNALLOCATED
037/8 IANA UNALLOCATED
038/8 Performance Systems International 1994-09 LEGACY
039/8 IANA UNALLOCATED
040/8 Eli Lily & Company 1994-06 LEGACY
041/8 AfriNIC 2005-04 whois.afrinic.net ALLOCATED
042/8 IANA UNALLOCATED
043/8 Japan Inet 1991-01 LEGACY
044/8 Amateur Radio Digital Communications 1992-07 LEGACY
045/8 Interop Show Network 1995-01 LEGACY
046/8 IANA UNALLOCATED
047/8 Bell-Northern Research 1991-01 LEGACY
048/8 Prudential Securities Inc. 1995-05 LEGACY
049/8 IANA UNALLOCATED
050/8 IANA UNALLOCATED
051/8 Deparment of Social Security of UK 1994-08 LEGACY
052/8 E.I. duPont de Nemours and Co., Inc. 1991-12 LEGACY
053/8 Cap Debis CCS 1993-10 LEGACY
054/8 Merck and Co., Inc. 1992-03 LEGACY
055/8 DoD Network Information Center 1995-04 LEGACY
056/8 US Postal Service 1994-06 LEGACY
057/8 SITA 1995-05 LEGACY
058/8 APNIC 2004-04 whois.apnic.net ALLOCATED
059/8 APNIC 2004-04 whois.apnic.net ALLOCATED
060/8 APNIC 2003-04 whois.apnic.net ALLOCATED
061/8 APNIC 1997-04 whois.apnic.net ALLOCATED
062/8 RIPE NCC 1997-04 whois.ripe.net ALLOCATED
063/8 ARIN 1997-04 whois.arin.net ALLOCATED
064/8 ARIN 1999-07 whois.arin.net ALLOCATED
065/8 ARIN 2000-07 whois.arin.net ALLOCATED
066/8 ARIN 2000-07 whois.arin.net ALLOCATED
067/8 ARIN 2001-05 whois.arin.net ALLOCATED
068/8 ARIN 2001-06 whois.arin.net ALLOCATED
069/8 ARIN 2002-08 whois.arin.net ALLOCATED
070/8 ARIN 2004-01 whois.arin.net ALLOCATED
071/8 ARIN 2004-08 whois.arin.net ALLOCATED
072/8 ARIN 2004-08 whois.arin.net ALLOCATED
073/8 ARIN 2005-03 whois.arin.net ALLOCATED
074/8 ARIN 2005-06 whois.arin.net ALLOCATED
075/8 ARIN 2005-06 whois.arin.net ALLOCATED
076/8 ARIN 2005-06 whois.arin.net ALLOCATED
077/8 RIPE NCC 2006-08 whois.ripe.net ALLOCATED
078/8 RIPE NCC 2006-08 whois.ripe.net ALLOCATED
079/8 RIPE NCC 2006-08 whois.ripe.net ALLOCATED
080/8 RIPE NCC 2001-04 whois.ripe.net ALLOCATED
081/8 RIPE NCC 2001-04 whois.ripe.net ALLOCATED
082/8 RIPE NCC 2002-11 whois.ripe.net ALLOCATED
083/8 RIPE NCC 2003-11 whois.ripe.net ALLOCATED
084/8 RIPE NCC 2003-11 whois.ripe.net ALLOCATED
085/8 RIPE NCC 2004-04 whois.ripe.net ALLOCATED
086/8 RIPE NCC 2004-04 whois.ripe.net ALLOCATED
087/8 RIPE NCC 2004-04 whois.ripe.net ALLOCATED
088/8 RIPE NCC 2004-04 whois.ripe.net ALLOCATED
089/8 RIPE NCC 2005-06 whois.ripe.net ALLOCATED
090/8 RIPE NCC 2005-06 whois.ripe.net ALLOCATED
091/8 RIPE NCC 2005-06 whois.ripe.net ALLOCATED
092/8 RIPE NCC 2007-03 whois.ripe.net ALLOCATED
093/8 RIPE NCC 2007-03 whois.ripe.net ALLOCATED
094/8 RIPE NCC 2007-07 whois.ripe.net ALLOCATED
095/8 RIPE NCC 2007-07 whois.ripe.net ALLOCATED
096/8 ARIN 2006-10 whois.arin.net ALLOCATED
097/8 ARIN 2006-10 whois.arin.net ALLOCATED
098/8 ARIN 2006-10 whois.arin.net ALLOCATED
099/8 ARIN 2006-10 whois.arin.net ALLOCATED
100/8 IANA UNALLOCATED
101/8 IANA UNALLOCATED
102/8 IANA UNALLOCATED
103/8 IANA UNALLOCATED
104/8 IANA UNALLOCATED
105/8 IANA UNALLOCATED
106/8 IANA UNALLOCATED
107/8 IANA UNALLOCATED
108/8 IANA UNALLOCATED
109/8 IANA UNALLOCATED
110/8 IANA UNALLOCATED
111/8 IANA UNALLOCATED
112/8 APNIC 2008-05 whois.apnic.net ALLOCATED
113/8 APNIC 2008-05 whois.apnic.net ALLOCATED
114/8 APNIC 2007-10 whois.apnic.net ALLOCATED
115/8 APNIC 2007-10 whois.apnic.net ALLOCATED
116/8 APNIC 2007-01 whois.apnic.net ALLOCATED
117/8 APNIC 2007-01 whois.apnic.net ALLOCATED
118/8 APNIC 2007-01 whois.apnic.net ALLOCATED
119/8 APNIC 2007-01 whois.apnic.net ALLOCATED
120/8 APNIC 2007-01 whois.apnic.net ALLOCATED
121/8 APNIC 2006-01 whois.apnic.net ALLOCATED
122/8 APNIC 2006-01 whois.apnic.net ALLOCATED
123/8 APNIC 2006-01 whois.apnic.net ALLOCATED
124/8 APNIC 2005-01 whois.apnic.net ALLOCATED
125/8 APNIC 2005-01 whois.apnic.net ALLOCATED
126/8 APNIC 2005-01 whois.apnic.net ALLOCATED
127/8 IANA - Loopback 1981-09 RESERVED [5]
128/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
129/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
130/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
131/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
132/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
133/8 Administered by APNIC 1997-03 whois.apnic.net LEGACY
134/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
135/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
136/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
137/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
138/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
139/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
140/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
141/8 Administered by RIPE NCC 1993-05 whois.ripe.net LEGACY
142/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
143/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
144/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
145/8 Administered by RIPE NCC 1993-05 whois.ripe.net LEGACY
146/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
147/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
148/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
149/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
150/8 Administered by APNIC 1993-05 whois.apnic.net LEGACY
151/8 Administered by RIPE NCC 1993-05 whois.ripe.net LEGACY
152/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
153/8 Administered by APNIC 1993-05 whois.apnic.net LEGACY
154/8 Administered by AfriNIC 1993-05 whois.afrinic.net LEGACY
155/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
156/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
157/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
158/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
159/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
160/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
161/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
162/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
163/8 Administered by APNIC 1993-05 whois.apnic.net LEGACY
164/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
165/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
166/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
167/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
168/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
169/8 Administered by ARIN 1993-05 whois.arin.net LEGACY [6]
170/8 Administered by ARIN 1993-05 whois.arin.net LEGACY
171/8 Administered by APNIC 1993-05 whois.apnic.net LEGACY
172/8 Administered by ARIN 1993-05 whois.arin.net LEGACY [7]
173/8 ARIN 2008-02 whois.arin.net ALLOCATED
174/8 ARIN 2008-02 whois.arin.net ALLOCATED
175/8 IANA UNALLOCATED
176/8 IANA UNALLOCATED
177/8 IANA UNALLOCATED
178/8 IANA UNALLOCATED
179/8 IANA UNALLOCATED
180/8 IANA UNALLOCATED
181/8 IANA UNALLOCATED
182/8 IANA UNALLOCATED
183/8 IANA UNALLOCATED
184/8 IANA UNALLOCATED
185/8 IANA UNALLOCATED
186/8 LACNIC 2007-09 whois.lacnic.net ALLOCATED
187/8 LACNIC 2007-09 whois.lacnic.net ALLOCATED
188/8 Administered by RIPE NCC 1993-05 whois.ripe.net LEGACY
189/8 LACNIC 1995-06 whois.lacnic.net ALLOCATED
190/8 LACNIC 1995-06 whois.lacnic.net ALLOCATED
191/8 Administered by LACNIC 1993-05 whois.lacnic.net LEGACY
192/8 Administered by ARIN 1993-05 whois.arin.net LEGACY [8]
193/8 RIPE NCC 1993-05 whois.ripe.net ALLOCATED
194/8 RIPE NCC 1993-05 whois.ripe.net ALLOCATED
195/8 RIPE NCC 1993-05 whois.ripe.net ALLOCATED
196/8 Administered by AfriNIC 1993-05 whois.afrinic.net LEGACY
197/8 IANA UNALLOCATED
198/8 Administered by ARIN 1993-05 whois.arin.net LEGACY [9]
199/8 ARIN 1993-05 whois.arin.net ALLOCATED
200/8 LACNIC 2002-11 whois.lacnic.net ALLOCATED
201/8 LACNIC 2003-04 whois.lacnic.net ALLOCATED
202/8 APNIC 1993-05 whois.apnic.net ALLOCATED
203/8 APNIC 1993-05 whois.apnic.net ALLOCATED
204/8 ARIN 1994-03 whois.arin.net ALLOCATED
205/8 ARIN 1994-03 whois.arin.net ALLOCATED
206/8 ARIN 1995-04 whois.arin.net ALLOCATED
207/8 ARIN 1995-11 whois.arin.net ALLOCATED
208/8 ARIN 1996-04 whois.arin.net ALLOCATED
209/8 ARIN 1996-06 whois.arin.net ALLOCATED
210/8 APNIC 1996-06 whois.apnic.net ALLOCATED
211/8 APNIC 1996-06 whois.apnic.net ALLOCATED
212/8 RIPE NCC 1997-10 whois.ripe.net ALLOCATED
213/8 RIPE NCC 1993-10 whois.ripe.net ALLOCATED
214/8 US-DOD 1998-03 LEGACY
215/8 US-DOD 1998-03 LEGACY
216/8 ARIN 1998-04 whois.arin.net ALLOCATED
217/8 RIPE NCC 2000-06 whois.ripe.net ALLOCATED
218/8 APNIC 2000-12 whois.apnic.net ALLOCATED
219/8 APNIC 2001-09 whois.apnic.net ALLOCATED
220/8 APNIC 2001-12 whois.apnic.net ALLOCATED
221/8 APNIC 2002-07 whois.apnic.net ALLOCATED
222/8 APNIC 2003-02 whois.apnic.net ALLOCATED
223/8 IANA UNALLOCATED
224/8 Multicast 1981-09 RESERVED [10]
225/8 Multicast 1981-09 RESERVED [10]
226/8 Multicast 1981-09 RESERVED [10]
227/8 Multicast 1981-09 RESERVED [10]
228/8 Multicast 1981-09 RESERVED [10]
229/8 Multicast 1981-09 RESERVED [10]
230/8 Multicast 1981-09 RESERVED [10]
231/8 Multicast 1981-09 RESERVED [10]
232/8 Multicast 1981-09 RESERVED [10]
233/8 Multicast 1981-09 RESERVED [10]
234/8 Multicast 1981-09 RESERVED [10]
235/8 Multicast 1981-09 RESERVED [10]
236/8 Multicast 1981-09 RESERVED [10]
237/8 Multicast 1981-09 RESERVED [10]
238/8 Multicast 1981-09 RESERVED [10]
239/8 Multicast 1981-09 RESERVED [10]
240/8 Future use 1981-09 RESERVED [11]
241/8 Future use 1981-09 RESERVED [11]
242/8 Future use 1981-09 RESERVED [11]
243/8 Future use 1981-09 RESERVED [11]
244/8 Future use 1981-09 RESERVED [11]
245/8 Future use 1981-09 RESERVED [11]
246/8 Future use 1981-09 RESERVED [11]
247/8 Future use 1981-09 RESERVED [11]
248/8 Future use 1981-09 RESERVED [11]
249/8 Future use 1981-09 RESERVED [11]
250/8 Future use 1981-09 RESERVED [11]
251/8 Future use 1981-09 RESERVED [11]
252/8 Future use 1981-09 RESERVED [11]
253/8 Future use 1981-09 RESERVED [11]
254/8 Future use 1981-09 RESERVED [11]
255/8 Future use 1981-09 RESERVED [11]
Notes
-----
[1] Indicates the status of address blocks as follows:
RESERVED: designated by the IETF for specific non-unicast purposes as noted.
LEGACY: allocated by the central Internet Registry (IR) prior to the Regional Internet Registries
(RIRs). This address space is now administered by individual RIRs as noted, including maintenance
of WHOIS Directory and reverse DNS records. Assignments from these blocks are distributed globally
on a regional basis.
ALLOCATED: delegated entirely to specific RIR as indicated.
UNALLOCATED: not yet allocated or reserved.
[2] 0.0.0.0/8 reserved for self-identification [RFC3330]
[3] Reserved for Private-Use Networks [RFC1918]
[4] This was reserved for Public Data Networks [RFC1356]
See: http://www.iana.org/assignments/public- ... rk-numbers
It was recovered in February 2008.
[5] 127.0.0.0/8 is reserved for Loopback [RFC3330]
[6] 169.254.0.0/16 reserved for Link Local [RFC3330]
[7] 172.16.0.0/12 reserved for Private-Use Networks [RFC1918]
[8] 192.0.2.0/24 reserved for Test-Net [RFC3330]
192.88.99.0/24 reserved for 6to4 Relay Anycast [RFC3068]
192.168.0.0/16 reserved for Private-Use Networks [RFC1918]
[9] 198.18.0.0/15 reserved for Network Interconnect Device
Benchmark Testing [RFC3330]
[10] Multicast (formerly "Class D") [RFC1700]
See: http://www.iana.org/assignments/multicast-addresses
[11] Reserved for future use (formerly "Class E") [RFC1700]
Reference
---------
[RFC1356] Malis, A., Robinson, D., and R. Ullmann, "Multiprotocol
Interconnect on X.25 and ISDN in the Packet Mode",
RFC 1356, August 1992.
[RFC1466] Gerich, E., "Guidelines for Management of IP Address
Space", RFC 1466, May 1993.
[RFC1700] Reynolds, J. and J. Postel, "Assigned Numbers",
RFC1700, October 1994.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G.,
and E. Lear, "Address Allocation for Private
Internets", BCP 5, RFC 1918, February 1996.
[RFC2050] Hubbard, K., Kosters, M., Conrad, D., Karrenberg, D.,
and J. Postel, "INTERNET REGISTRY IP ALLOCATION
GUIDELINES", BCP 12, RFC 2050, November 1996.
[RFC3068] Huitema, C., "An Anycast Prefix for 6to4 Relay
Routers", RFC 3068, June 2001.
[RFC3171] Albanna, Z., Almeroth, K., Meyer, D., and M. Schipper,
"IANA Guidelines for IPv4 Multicast Address
Assignments", BCP 51, RFC 3171, August 2001.
[RFC3330] IANA, "Special-Use IPv4 Addresses", RFC 3330,
September 2002.
--
Rick
The only way you'll ever catch fish is to Go Fishing Forum (.net)!!
Rick
The only way you'll ever catch fish is to Go Fishing Forum (.net)!!