sshによる不正アクセスを拒否する
sshによる不正アクセスを拒否する
0.改訂履歴
- 2007.10.17 新規作成
- 2007.11.05 抽出方法の追加
1.はじめに
このドキュメントでは,iptablesとswatchとlogroteteを使って,sshによる不正アクセスの試みを遮断するスクリプトの導入手順を説明する. いわゆるブルートフォースアタックに対応するための策である.
なお,使用しているOSは,RedHat Linux ES上で稼働している.
2.Failed passwordを発生させているIPアドレスを取り出す
- 不正アクセスの試みは,secureログに記述されている.
- サンプルと見ると,次の通り.
[root@springboard tmp]# grep "Failed password" /var/log/secure|head -n 10
Oct 14 18:05:09 springboard sshd[20677]: Failed password for illegal user linux
from 218.36.126.238 port 59411 ssh2
Oct 14 18:05:13 springboard sshd[20679]: Failed password for illegal user user
from 218.36.126.238 port 59701 ssh2
Oct 14 18:05:16 springboard sshd[20681]: Failed password for illegal user david
from 218.36.126.238 port 59995 ssh2
Oct 14 18:05:19 springboard sshd[20683]: Failed password for illegal user web
from 218.36.126.238 port 60293 ssh2
Oct 14 18:05:23 springboard sshd[20685]: Failed password for illegal user apache
from 218.36.126.238 port 60590 ssh2
Oct 14 18:05:26 springboard sshd[20687]: Failed password for illegal user pgsql
from 218.36.126.238 port 60895 ssh2
Oct 14 18:05:29 springboard sshd[20689]: Failed password for illegal user mysql
from 218.36.126.238 port 32949 ssh2
Oct 14 18:05:32 springboard sshd[20691]: Failed password for illegal user info
from 218.36.126.238 port 33216 ssh2
Oct 14 18:05:36 springboard sshd[20693]: Failed password for illegal user tony
from 218.36.126.238 port 33474 ssh2
Oct 14 18:05:39 springboard sshd[20695]: Failed password for illegal user core
from 218.36.126.238 port 33734 ssh2
from 218.36.126.238 port 38285 ssh2
[root@springboard tmp]#
|
[root@springboard tmp]# grep "Failed password" /var/log/secure|cut -d" " -f 13|head -n 10
206.165.215.7
206.165.215.7
206.165.215.7
206.165.215.7
206.165.215.7
206.165.215.7
206.165.215.7
206.165.215.7
190.2.42.253
190.2.42.253
[root@springboard tmp]#
|
- これでIPアドレスリストが取得できる.
- 重複している行を削除する為に,まずはsortで並べ替えて,uniqコマンドで重複を調べる.
- さらに重複数の多い順にソートしてみる.
[root@springboard tmp]# grep "Failed password" /var/log/secure|cut -d" " -f 13|sort|uni
q -c|sort -nr
5915 125.206.111.101
1061 125.206.195.72
794 216.223.138.50
440 59.53.97.38
370 125.251.21.2
271 200.71.34.164
197 200.81.199.71
168 218.36.126.238
168 200.23.27.20
95 211.103.30.163
45 58.18.166.50
32 66.43.243.28
32 190.2.42.253
13 210.248.204.50
11 190.81.55.34
9 61.146.178.13
8 206.165.215.7
5 217.126.17.115
2 60313
2 210.196.107.248
1 60925
1 60320
1 60291
1 59690
1 59200
1 58833
1 56796
1 56401
1 52281
1 51836
1 49244
1 48814
1 46192
1 45108
1 41303
1 40241
1 39348
1 38914
1 38150
1 37750
1 36146
1 35773
1 35401
1 33579
1 33312
1 32955
1 2791
1 218.77.120.73
[root@springboard tmp]#
|
[root@springboard tmp]# grep "Failed password" /var/log/secure|grep shinnai
Oct 15 10:57:44 springboard sshd[3573]: Failed password for shinnai from 192.168.
0.182 port 60291 ssh2
Oct 15 11:07:34 springboard sshd[4278]: Failed password for shinnai from 192.168.
0.182 port 60313 ssh2
Oct 15 11:07:34 springboard sshd[4279]: Failed password for shinnai from 192.168.
0.182 port 60313 ssh2
Oct 15 11:11:46 springboard sshd[4417]: Failed password for shinnai from 192.168.
0.182 port 60320 ssh2
[root@springboard tmp]#
|
[root@springboard tmp]# grep "Failed password" /var/log/secure|cut -d" " -f 13|sort|un
iq -c|sort -nr|grep "¥."
5915 125.206.111.101
1061 125.206.195.72
794 216.223.138.50
440 59.53.97.38
370 125.251.21.2
271 200.71.34.164
197 200.81.199.71
168 218.36.126.238
168 200.23.27.20
95 211.103.30.163
45 58.18.166.50
32 66.43.243.28
32 190.2.42.253
13 210.248.204.50
11 190.81.55.34
9 61.146.178.13
8 206.165.215.7
5 217.126.17.115
2 210.196.107.248
1 218.77.120.73
[root@springboard tmp]#
|
- これでリストらしくなってきた.
- 同じように,存在するユーザの場合のリストを取り出す.これは11列目を取り出せば良い.
[root@springboard tmp]# grep "Failed password" /var/log/secure|cut -d" " -f 11|sort|un
iq -c|sort -nr|grep "¥."
24 125.206.111.101
4 192.168.0.182
1 192.168.0.130
[root@springboard tmp]#
|
- こんな感じにすれば,一体になったリストが作成できる.
[root@springboard tmp]# grep "Failed password" /var/log/secure|cut -d" " -f 13|sort|uniq -c|sort -nr|grep "¥." > /tmp/BruteForce.txt
[root@springboard tmp]#
[root@springboard tmp]#
[root@springboard tmp]# grep "Failed password" /var/log/secure|cut -d" " -f 11|sort|uniq -c|sort -nr|grep "¥." >> /tmp/BruteForce.txt
[root@springboard tmp]# cat /tmp/BruteForce.txt | sort -nr
5915 125.206.111.101
1061 125.206.195.72
794 216.223.138.50
440 59.53.97.38
370 125.251.21.2
271 200.71.34.164
197 200.81.199.71
168 218.36.126.238
168 200.23.27.20
95 211.103.30.163
45 58.18.166.50
32 66.43.243.28
32 190.2.42.253
24 125.206.111.101
13 210.248.204.50
11 190.81.55.34
9 61.146.178.13
8 206.165.215.7
5 217.126.17.115
4 192.168.0.182
2 210.196.107.248
1 218.77.120.73
1 192.168.0.130
[root@springboard tmp]#
|
- リストをよく見ると,除外したいIPアドレスが見受けられる.
- そんな場合は,grep -vで取り除く.
[root@springboard tmp]# cat /tmp/BruteForce.txt | sort -nr|grep -v 192.168.
5915 125.206.111.101
1061 125.206.195.72
794 216.223.138.50
440 59.53.97.38
370 125.251.21.2
271 200.71.34.164
197 200.81.199.71
168 218.36.126.238
168 200.23.27.20
95 211.103.30.163
45 58.18.166.50
32 66.43.243.28
32 190.2.42.253
24 125.206.111.101
13 210.248.204.50
11 190.81.55.34
9 61.146.178.13
8 206.165.215.7
5 217.126.17.115
2 210.196.107.248
1 218.77.120.73
[root@springboard tmp]#
|
- これでFailed passwordを発生させている不正アクセスの試みを行っている外部のサーバ一覧が取得できた.
3.Illegal userを削除する
- 存在しているかいないかにかかわらず,辞書を用いて色々なユーザでログインを実行してくる場合が在る.
- 存在していないユーザでのアクセスの場合,secureログには"Illegal user"として記録される.
- secureログから抽出する.
[root@springboard shinnai]# grep "Illegal user" /var/log/secure|head -n 10
Nov 4 07:05:27 springboard sshd[22103]: Illegal user test from 216.54.26.139
Nov 4 07:05:32 springboard sshd[22171]: Illegal user test from 216.54.26.139
Nov 4 07:05:37 springboard sshd[22217]: Illegal user test from 216.54.26.139
Nov 4 07:05:41 springboard sshd[22241]: Illegal user test from 216.54.26.139
Nov 4 07:05:47 springboard sshd[22309]: Illegal user info from 216.54.26.139
Nov 4 07:05:52 springboard sshd[22355]: Illegal user info from 216.54.26.139
Nov 4 07:05:56 springboard sshd[22379]: Illegal user info from 216.54.26.139
Nov 4 07:06:01 springboard sshd[22447]: Illegal user info from 216.54.26.139
Nov 4 07:06:06 springboard sshd[22471]: Illegal user temp from 216.54.26.139
Nov 4 07:06:11 springboard sshd[22539]: Illegal user prueba from 216.54.26.139
[root@springboard shinnai]#
|
[root@springboard shinnai]# grep "Illegal user" /var/log/secure|cut -f 11 -d' '|head -n 10
216.54.26.139
216.54.26.139
216.54.26.139
216.54.26.139
216.54.26.139
216.54.26.139
216.54.26.139
216.54.26.139
216.54.26.139
216.54.26.139
[root@springboard shinnai]#
|
[root@springboard shinnai]# grep "Illegal user" /var/log/secure|cut -f 11 -d' '|sort -nr|uniq -c
107 216.54.26.139
336 210.77.73.11
3 203.251.145.52
3 203.197.2.92
4 64.235.54.228
[root@springboard shinnai]# grep "Illegal user" /var/log/secure|cut -f 11 -d' '|sort -nr|uniq
216.54.26.139
210.77.73.11
203.251.145.52
203.197.2.92
64.235.54.228
[root@springboard shinnai]#
|
- これで,Illegal userを発生させているIPアドレスの取得ができた.
4.BruteForce対応のシェル
- これまでの検出方法を軸に,itablesを使って次のようなシェルを作成する.
[root@springboard shinnai]# cat /www/system/bin/BruteForceFW.sh
#!/bin/bash
export LANG=C
LOGFILE=/var/log/secure
DROPLIST=/tmp/BruteForce.txt
COUNTFILE=/tmp/BruteForce.linecount.txt
HISTORY=/var/log/iptable.block.history
MAIL=bruteforce@ujp.jp
#Get BruteForceList
KEYWORD="Failed password"
grep "$KEYWORD" $LOGFILE |cut -d" " -f 11|sort|uniq -c|sort -nr|grep "¥."| grep [a-z] -v > $DROPLIST
grep "$KEYWORD" $LOGFILE |cut -d" " -f 12|sort|uniq -c|sort -nr|grep "¥."| grep [a-z] -v >> $DROPLIST
grep "$KEYWORD" $LOGFILE |cut -d" " -f 13|sort|uniq -c|sort -nr|grep "¥."| grep [a-z] -v >> $DROPLIST
grep "$KEYWORD" $LOGFILE |cut -d" " -f 14|sort|uniq -c|sort -nr|grep "¥."| grep [a-z] -v >> $DROPLIST
KEYWORD="Illegal user"
grep "$KEYWORD" $LOGFILE |cut -d" " -f 11|sort|uniq -c|sort -nr|grep "¥."| grep [a-z] -v >> $DROPLIST
#JyogaiList
grep -v "192.168." $DROPLIST > $DROPLIST.1;rm $DROPLIST;mv $DROPLIST.1 $DROPLIST
#LoopCount
wc -l $DROPLIST > $COUNTFILE
export LOOPCOUNT=`cat $COUNTFILE | awk '{print$1}'`
#Firewall setting
count=1
while [ $count -le $LOOPCOUNT ];
do
GetList=`head -n $count $DROPLIST | tail -n 1`
ERROR_COUNT=`echo $GetList | awk '{print$1}'`
DROP_ADDRESS=`echo $GetList | awk '{print$2}'`
if [ $ERROR_COUNT -gt 3 ]; then
#sudeni touroku aru-nashi check
/sbin/iptables -L RH-Firewall-1-INPUT -n --line-number|grep $DROP_ADDRESS > /dev/null
if [ $? -ne 0 ]; then #Nakatta baai tourokusuru
/sbin/iptables -I RH-Firewall-1-INPUT 5 -s $DROP_ADDRESS -j DROP
echo `date +%Y.%m.%d.%H:%M:%S` /sbin/iptables -I RH-Firewall-1-INPUT 5 -s $DROP_ADDRESS -j DROP >> $HISTORY
echo `date +%Y.%m.%d.%H:%M:%S` AutoBlockIP: $DROP_ADDRESS | mail -s BruteForceFW $MAIL
fi
fi
#DEBUG echo $count ":" $ERROR_COUNT ":" $DROP_ADDRESS ":" $STATUS
count=`expr $count + 1`
done
[root@springboard shinnai]#
|
- このシェルでは,おおまかに次のような動作となる.
- 抽出したリストを$DROPLISTに保存する.
- $DROPLISTに,除外IPが含まれていれば,それを削除する.
- $DROPLISTから1行ずつとりだすループ処理.
- 取り出したリストの1列目にはアタック回数が入っているが,それが3回以上あるかチェック.
- 3回以上ある場合,取り出したリストが,既にiptablesで除外リストにあるかチェック.
- 除外リストになかったら,
- 新たに登録.
- ログファイルに書き出し.
- 管理者にメールする.
- このプログラムを実行した履歴が,以下のファイルに保存される.
[root@springboard shinnai]# cat /var/log/iptable.block.history|tail -n 10
2007.10.17.20:29:02 /sbin/iptables -I RH-Firewall-1-INPUT 5 -s 80.7.180.175 -j DROP
2007.10.17.20:29:02 /sbin/iptables -I RH-Firewall-1-INPUT 5 -s 80.108.128.198 -j DROP
2007.10.17.20:29:02 /sbin/iptables -I RH-Firewall-1-INPUT 5 -s 221.238.133.134 -j DROP
2007.10.17.20:29:02 /sbin/iptables -I RH-Firewall-1-INPUT 5 -s 221.15.37.58 -j DROP
2007.10.17.20:29:02 /sbin/iptables -I RH-Firewall-1-INPUT 5 -s 218.91.233.19 -j DROP
2007.10.17.20:29:02 /sbin/iptables -I RH-Firewall-1-INPUT 5 -s 218.249.60.87 -j DROP
2007.10.17.20:29:16 /sbin/iptables -I RH-Firewall-1-INPUT 5 -s ito.ei -j DROP
2007.10.17.20:29:16 /sbin/iptables -I RH-Firewall-1-INPUT 5 -s t.miyake -j DROP
2007.10.17.20:29:16 /sbin/iptables -I RH-Firewall-1-INPUT 5 -s 125.206.111.101 -j DROP
2007.10.17.20:29:16 /sbin/iptables -I RH-Firewall-1-INPUT 5 -s 202.213.254.118 -j DROP
[root@springboard shinnai]#
|
- 実行後,現在のiptablesの定義内容を確認する.
[root@springboard shinnai]# /sbin/service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
DROP all -- pd5fe76.tokyff01.ap.so-net.ne.jp anywhere
DROP all -- light-works.co.jp anywhere
DROP all -- 218.249.60.87 anywhere
DROP all -- 218.91.233.19 anywhere
DROP all -- hn.kd.jz.adsl anywhere
DROP all -- 221.238.133.134 anywhere
DROP all -- chello080108128198.10.12.vie.surfer.at anywhere
DROP all -- cpc1-stok10-0-0-cust174.bagu.cable.ntl.com anywhere
DROP all -- soy95-2-82-236-103-139.fbx.proxad.net anywhere
DROP all -- 216-2-238.0512.adsl.tele2.no anywhere
DROP all -- 200.111.54.52 anywhere
DROP all -- 211.67.177.81 anywhere
DROP all -- ns1.ghaman.net anywhere
DROP all -- 219.135.191.232 anywhere
DROP all -- 61.235.117.19 anywhere
DROP all -- 123.madplaya.de anywhere
DROP all -- 67-133-187-97.dia.static.qwest.net anywhere
DROP all -- 190.102.167.203.unassigned.static.eastern-tele.com anywhere
DROP all -- 211.202.82.28 anywhere
DROP all -- sd-5354.dedibox.fr anywhere
DROP all -- 18912019213.user.veloxzone.com.br anywhere
DROP all -- mail.ceparonline.com.br anywhere
DROP all -- 202.108.40.109 anywhere
DROP all -- 212-242-187-203.youtele.com anywhere
DROP all -- unix-1.scvs.tpc.edu.tw anywhere
DROP all -- host73.net-serv.co.uk anywhere
DROP all -- 213.199.192.154 anywhere
DROP all -- 59.160.14.104.static.vsnl.net.in anywhere
DROP all -- 66.8.36.118 anywhere
DROP all -- LNeuilly-152-21-119-45.w193-253.abo.wanadoo.fr anywhere
DROP all -- 201.158.142.60 anywhere
DROP all -- web-44.blueweb.co.kr anywhere
DROP all -- 211.2.242.67 anywhere
DROP all -- 60.12.166.202 anywhere
DROP all -- 61.237.225.235 anywhere
DROP all -- 140.128.182.249 anywhere
DROP all -- 202.56.202.162 anywhere
DROP all -- 221.3.232.50 anywhere
DROP all -- mx.zeus.ru anywhere
DROP all -- 220.CH35124c.cyberhome.ne.jp anywhere
DROP all -- 210.29.163.57 anywhere
DROP all -- 210.51.1.208 anywhere
DROP all -- 210.51.9.133 anywhere
DROP all -- 211.238.49.81 anywhere
DROP all -- 61.152.243.164 anywhere
DROP all -- pentium4 anywhere
DROP all -- 61.146.178.15 anywhere
DROP all -- apitech.com.tw anywhere
DROP all -- 218.206.87.108 anywhere
DROP all -- 80-218-113-150.dclient.hispeed.ch anywhere
DROP all -- 124.198.53.136 anywhere
DROP all -- 124.227.231.15 anywhere
DROP all -- 222-255-187-203.static.youtele.com anywhere
DROP all -- 211.189.89.57 anywhere
DROP all -- 218.247.185.218 anywhere
DROP all -- mindoverplattercom.propagation.net anywhere
DROP all -- host-200-76-41-101.block.alestra.net.mx anywhere
DROP all -- airvaecommerce.com anywhere
DROP all -- ns1.hep.scitec.kobe-u.ac.jp anywhere
DROP all -- customer2-42-253.iplannetworks.net anywhere
DROP all -- host173.200.73.5.static.ifxnw.cl anywhere
DROP all -- ns.make2.jp anywhere
DROP all -- 210.34.14.53 anywhere
DROP all -- 219.133.197.60 anywhere
DROP all -- 66.43.243.28 anywhere
DROP all -- 125-209-79-22.multi.net.pk anywhere
DROP all -- 200.37.96.39 anywhere
DROP all -- 61.129.85.230 anywhere
DROP all -- 202.105.176.23 anywhere
DROP all -- 210.76.115.134 anywhere
DROP all -- 211.157.7.105 anywhere
DROP all -- 211.230.150.88 anywhere
DROP all -- 60-248-81-124.HINET-IP.hinet.net anywhere
DROP all -- 250-66.252-81.static-ip.oleane.fr anywhere
DROP all -- linux-7mtm.kimya.itu.edu.tr anywhere
DROP all -- 200.27.236.10 anywhere
DROP all -- 2-Corpcustomer.pacenet-india.com anywhere
DROP all -- 210.14.17.115 anywhere
DROP all -- 217.64.100.81 anywhere
DROP all -- adsl-71-147-14-161.dsl.irvnca.sbcglobal.net anywhere
DROP all -- 82.103.117.218 anywhere
DROP all -- 200.201.9.97 anywhere
DROP all -- 210.82.53.30 anywhere
DROP all -- 219.94.74.42 anywhere
DROP all -- 58.21.128.44 anywhere
DROP all -- 125.241.90.194 anywhere
DROP all -- 193.206.192.27 anywhere
DROP all -- customer-201-116-68-243.uninet-ide.com.mx anywhere
DROP all -- 219.238.238.236 anywhere
DROP all -- 60.51.147.195 anywhere
DROP all -- LNeuilly-152-22-77-202.w193-251.abo.wanadoo.fr anywhere
DROP all -- 61.107.166.36 anywhere
DROP all -- 61.232.3.72 anywhere
DROP all -- 202-123-76-168.static.hdcdatacentre.com anywhere
DROP all -- 211.75.13.91 anywhere
DROP all -- 219.149.57.4 anywhere
DROP all -- 220-130-137-35.HINET-IP.hinet.net anywhere
DROP all -- ns.truck-one.co.jp anywhere
DROP all -- 211.98.88.125 anywhere
DROP all -- www.kifune.jp anywhere
DROP all -- 202.82.148.27 anywhere
DROP all -- server4.ericware.com anywhere
DROP all -- 220.231.152.150 anywhere
DROP all -- 61.206.115.153.static.zoot.jp anywhere
DROP all -- 222.122.60.224 anywhere
DROP all -- 77.81.4.41 anywhere
DROP all -- 200.6.65.56 anywhere
DROP all -- main.daito-gakki.co.jp anywhere
DROP all -- 211.93.55.5 anywhere
DROP all -- mail.cmb.co.zw anywhere
DROP all -- smtp.hisense.com anywhere
DROP all -- 58.18.166.50 anywhere
DROP all -- 59-106-25-205.r-bl100.sakura.ne.jp anywhere
DROP all -- www.amnetsys.com anywhere
DROP all -- 59-120-75-220.HINET-IP.hinet.net anywhere
DROP all -- 59.44.44.179 anywhere
DROP all -- adsl203-153-121.mclink.it anywhere
DROP all -- hosting-35.120.rev.fr.colt.net anywhere
DROP all -- 61-62-3-108-adsl-tpe.STATIC.so-net.net.tw anywhere
DROP all -- 212.14.243.10 anywhere
DROP all -- 219.232.34.22 anywhere
DROP all -- dk90.internetdsl.tpnet.pl anywhere
DROP all -- 60.217.227.196 anywhere
DROP all -- mail.yanon.com.tw anywhere
DROP all -- 211.233.14.125 anywhere
DROP all -- 220.181.36.248 anywhere
DROP all -- 61.133.95.228 anywhere
DROP all -- ftp.clover4.net anywhere
DROP all -- 202.105.176.25 anywhere
DROP all -- LNeuilly-152-21-132-81.w193-253.abo.wanadoo.fr anywhere
DROP all -- 61.7.153.186 anywhere
DROP all -- 142-22.252-81.static-ip.oleane.fr anywhere
DROP all -- ip-165-66.dtp.net.id anywhere
DROP all -- 194.60-14-84.ripe.coltfrance.com anywhere
DROP all -- 226.128.111.202.ha.cnc anywhere
DROP all -- 219.151.8.117 anywhere
DROP all -- 61.139.14.226 anywhere
DROP all -- 195.140.143.240 anywhere
DROP all -- mail.pequenaindustria.com.ec anywhere
DROP all -- 211.140.52.67 anywhere
DROP all -- 62.112.194.135 anywhere
DROP all -- 1.176.208.210-twnap anywhere
DROP all -- 211.233.254.221 anywhere
DROP all -- WWW.CRETAC.ORG anywhere
DROP all -- 49.60.in-addr.arpa.tm.net.my anywhere
DROP all -- adsl-2-122.lo1.lns1.server-access.com anywhere
DROP all -- sit02.sandtronic.nl anywhere
DROP all -- 72.37.213.102 anywhere
DROP all -- 195.145.89.29 anywhere
DROP all -- ip-83-147-169-108.dub-3rk3.metro.digiweb.ie anywhere
DROP all -- 193.8.140.101 anywhere
DROP all -- 210.221.154.12 anywhere
DROP all -- 217.24.240.77 anywhere
DROP all -- 218.205.233.146 anywhere
DROP all -- 86.34.150.26 anywhere
DROP all -- 222.68.194.2 anywhere
DROP all -- 200.105.16.242 anywhere
DROP all -- 202.105.176.33 anywhere
DROP all -- 211.189.20.180 anywhere
DROP all -- net203-141-136.mclink.it anywhere
DROP all -- 218.106.252.245 anywhere
DROP all -- 218.22.16.86 anywhere
DROP all -- 218.78.215.200 anywhere
DROP all -- 221x251x217x76.ap221.ftth.ucom.ne.jp anywhere
DROP all -- 61.144.122.72 anywhere
DROP all -- 61.146.178.13 anywhere
DROP all -- 61-90-212-3.static.asianet.co.th anywhere
DROP all -- 84.37.11.8 anywhere
DROP all -- 61.138.179.48 anywhere
DROP all -- c-68-45-148-65.hsd1.nj.comcast.net anywhere
DROP all -- 125.64.24.62 anywhere
DROP all -- 220.249.52.50 anywhere
DROP all -- 61.237.241.69 anywhere
DROP all -- 203.152.215.135.static.zoot.jp anywhere
DROP all -- ipvpn071148.netvigator.com anywhere
DROP all -- static-ip-217-172-180-102.inaddr.intergenia.de anywhere
DROP all -- 220-135-51-21.HINET-IP.hinet.net anywhere
DROP all -- lamb.ct.rupar.puglia.it anywhere
DROP all -- 201.139.64.11 anywhere
DROP all -- 211.33.40.5 anywhere
DROP all -- 218.247.185.242 anywhere
DROP all -- egress-del1.globallogic.com anywhere
DROP all -- 164.100.80.115 anywhere
DROP all -- 63.116.205.62 anywhere
DROP all -- undefined.bjgwbn.net.cn anywhere
DROP all -- bart.dka.net.ar anywhere
DROP all -- 210.212.240.53 anywhere
DROP all -- 140.123.174.6 anywhere
DROP all -- 210.114.221.167 anywhere
DROP all -- 210.51.12.31 anywhere
DROP all -- 210.51.12.52 anywhere
DROP all -- bm246.internetdsl.tpnet.pl anywhere
DROP all -- 202.229.186.226 anywhere
DROP all -- 222.186.127.81 anywhere
DROP all -- wpc4717.amenworld.com anywhere
DROP all -- 220-135-23-183.HINET-IP.hinet.net anywhere
DROP all -- 167-028.onebb.com anywhere
DROP all -- 202.104.17.197 anywhere
DROP all -- 222.171.126.5 anywhere
DROP all -- sd-731.dedibox.fr anywhere
DROP all -- 218.98.194.140 anywhere
DROP all -- 220.227.132.194 anywhere
DROP all -- 68-191-193-82.static.stls.mo.charter.com anywhere
DROP all -- 218.248.240.22 anywhere
DROP all -- 218.78.214.92 anywhere
DROP all -- 218.205.231.37 anywhere
DROP all -- 222.216.204.101 anywhere
DROP all -- p15181645.pureserver.info anywhere
DROP all -- mail.comedica.com.sv anywhere
DROP all -- 220.181.27.30 anywhere
DROP all -- 218.1.65.233 anywhere
DROP all -- 58.60.237.66 anywhere
DROP all -- 82.77.32.51 anywhere
DROP all -- 219.234.80.58 anywhere
DROP all -- 203.252.198.84 anywhere
DROP all -- 211.101.34.203 anywhere
DROP all -- 221x114x248x179.ap221.ftth.ucom.ne.jp anywhere
DROP all -- 210.205.6.104 anywhere
DROP all -- 217.197.159.146 anywhere
DROP all -- 218.83.175.46 anywhere
DROP all -- 221.10.254.205 anywhere
DROP all -- 61.43.153.35 anywhere
DROP all -- 217.160.140.89 anywhere
DROP all -- 221.7.128.24 anywhere
DROP all -- 210.118.238.100 anywhere
DROP all -- 211.103.30.163 anywhere
DROP all -- 211-47-135-204.rev.krline.net anywhere
DROP all -- mathv1.la.asu.edu anywhere
DROP all -- 200.129.133.1 anywhere
DROP all -- 211.33.40.245 anywhere
DROP all -- nameservices.net anywhere
DROP all -- 82.114.73.203 anywhere
DROP all -- epm200-13-254-170.epm.net.co anywhere
DROP all -- 212.98.173.70 anywhere
DROP all -- domU-12-31-34-00-01-3F.usma2.compute.amazonaws.com anywhere
DROP all -- 217.205.88.162 anywhere
DROP all -- akk130.internetdsl.tpnet.pl anywhere
DROP all -- 202.82.16.180 anywhere
DROP all -- 87.245.152.213 anywhere
DROP all -- 203.125.227.67 anywhere
DROP all -- 203.162.168.16 anywhere
DROP all -- ipvpn028075.netvigator.com anywhere
DROP all -- 210.217.36.14 anywhere
DROP all -- 211.147.215.75 anywhere
DROP all -- 125.91.104.160 anywhere
DROP all -- 210.13.41.1 anywhere
DROP all -- 210.51.37.164 anywhere
DROP all -- 125.247.121.115 anywhere
DROP all -- 218.104.244.186 anywhere
DROP all -- 218.244.130.46 anywhere
DROP all -- 222.173.42.152 anywhere
DROP all -- 61.129.163.205 anywhere
DROP all -- 26.Red-80-59-40.staticIP.rima-tde.net anywhere
DROP all -- eka26.internetdsl.tpnet.pl anywhere
DROP all -- 203.172.182.99 anywhere
DROP all -- mail.microformas.com.mx anywhere
DROP all -- 202.94.234.100 anywhere
DROP all -- rrcs-70-61-249-122.central.biz.rr.com anywhere
DROP all -- CPE001195848699-CM0012c999d4aa.cpe.net.cable.rogers.com
anywhere
DROP all -- 202.205.179.81 anywhere
DROP all -- b4.7a.5546.static.theplanet.com anywhere
DROP all -- sds.sd-service.co.jp anywhere
DROP all -- 140.125.251.168 anywhere
DROP all -- 220-130-240-176.HINET-IP.hinet.net anywhere
DROP all -- 61.177.223.125 anywhere
DROP all -- 89-97-244-118.ip19.fastwebnet.it anywhere
DROP all -- 200.222.88.251 anywhere
DROP all -- 220.227.251.134 anywhere
DROP all -- 218-36-16-65.rev.krline.net anywhere
DROP all -- 219.151.8.118 anywhere
DROP all -- 222.90.234.68 anywhere
DROP all -- intra.ddc.moph.go.th anywhere
DROP all -- 211.167.225.62 anywhere
DROP all -- 211.239.120.204 anywhere
DROP all -- c-24-11-169-203.hsd1.mi.comcast.net anywhere
DROP all -- pop3d.cablenet.com.ni anywhere
DROP all -- h21-210-243-133.ec-network.com anywhere
DROP all -- 125.240.80.5 anywhere
DROP all -- 211.170.242.10 anywhere
DROP all -- 202.78.253.50 anywhere
DROP all -- 61.54.44.146 anywhere
DROP all -- pc15146.ocit.edu.tw anywhere
DROP all -- 72.29.86.71.static.dimenoc.com anywhere
DROP all -- h5040.serverkompetenz.net anywhere
DROP all -- 210-210-66-88.lan.sify.net anywhere
DROP all -- 213.246.41.211 anywhere
DROP all -- 219.149.211.49 anywhere
DROP all -- 61-250-211-222.rev.krline.net anywhere
DROP all -- 66.221.165.67 anywhere
DROP all -- 58.20.57.15 anywhere
DROP all -- 60.13.184.6 anywhere
DROP all -- 203.156.240.75 anywhere
DROP all -- 211.110.9.24 anywhere
DROP all -- sd-4844.dedibox.fr anywhere
DROP all -- 200.91.76.222 anywhere
DROP all -- milehome.hkmhp.com.hk anywhere
DROP all -- 211.103.153.59 anywhere
DROP all -- dsl017-126-010.msy1.dsl.speakeasy.net anywhere
DROP all -- 60.206.10.253 anywhere
DROP all -- adsl-75-58-175-155.dsl.irvnca.sbcglobal.net anywhere
DROP all -- 210.87.160.194 anywhere
DROP all -- action-mail anywhere
DROP all -- 216.226.66.72 anywhere
DROP all -- 218.10.137.142 anywhere
DROP all -- 58.151.22.227 anywhere
DROP all -- 61.104.111.202 anywhere
DROP all -- 211.20.122.30 anywhere
DROP all -- 59.151.18.122 anywhere
DROP all -- 87.245.143.226 anywhere
DROP all -- 220.110.216.220 anywhere
DROP all -- 124.89.91.246 anywhere
DROP all -- 222.190.116.130 anywhere
DROP all -- 210.14.17.79 anywhere
DROP all -- 124.0.56.2 anywhere
DROP all -- 125.244.85.2 anywhere
DROP all -- 125.7.192.147 anywhere
DROP all -- 157.253.10.111 anywhere
DROP all -- 163.180.35.93 anywhere
DROP all -- webmail.cablenet.com.ni anywhere
DROP all -- 168.176.120.122 anywhere
DROP all -- 194.105.9.174 anywhere
DROP all -- prometeo.quilaco.cl anywhere
DROP all -- 200-170-149-235.xf-static.ctbcnetsuper.com.br anywhere
DROP all -- 200.23.27.20 anywhere
DROP all -- 200.27.79.101 anywhere
DROP all -- 202.190.167.221 anywhere
DROP all -- 202.65.151.138 anywhere
DROP all -- 202.71.107.217 anywhere
DROP all -- gatewayamc.com anywhere
DROP all -- 203.145.131.183 anywhere
DROP all -- DEL.GK1.203.200.89.8.static.vsnl.net.in anywhere
DROP all -- 204.90.115.150 anywhere
DROP all -- unknown57.103.234.205.defenderhosting.com anywhere
DROP all -- 210.0.186.202 anywhere
DROP all -- 210.177.77.43 anywhere
DROP all -- 210.177.9.43 anywhere
DROP all -- 210.188.206.76 anywhere
DROP all -- 210.193.230.71 anywhere
DROP all -- 210.205.6.198 anywhere
DROP all -- 210.252.131.99 anywhere
DROP all -- 210.33.116.133 anywhere
DROP all -- 210.41.160.12 anywhere
DROP all -- 211.117.46.155 anywhere
DROP all -- 211.144.36.140 anywhere
DROP all -- 211.229.208.148 anywhere
DROP all -- 211.239.220.9 anywhere
DROP all -- 211.90.238.93 anywhere
DROP all -- 216.10.126.166 anywhere
DROP all -- 216.40.89.182 anywhere
DROP all -- 217.130.22.164 anywhere
DROP all -- 217-220-83-102-static.albacom.net anywhere
DROP all -- 218.106.127.116 anywhere
DROP all -- 218.108.34.114 anywhere
DROP all -- 218-36-126-238.rev.krline.net anywhere
DROP all -- 218.51.61.17 anywhere
DROP all -- 218.58.65.73 anywhere
DROP all -- 219.127.251.175 anywhere
DROP all -- 219.239.173.130 anywhere
DROP all -- 219.94.130.213 anywhere
DROP all -- 219.94.147.87 anywhere
DROP all -- 220.225.241.143 anywhere
DROP all -- LL-220-228-154-118.LL.sparqnet.net anywhere
DROP all -- 221.130.189.30 anywhere
DROP all -- 221.141.3.120 anywhere
DROP all -- 222.184.250.36 anywhere
DROP all -- 222.190.96.26 anywhere
DROP all -- 222.239.255.42 anywhere
DROP all -- 222.73.236.15 anywhere
DROP all -- 59-106-20-20.r-bl100.sakura.ne.jp anywhere
DROP all -- 59-124-18-204.HINET-IP.hinet.net anywhere
DROP all -- 59-124-47-229.HINET-IP.hinet.net anywhere
DROP all -- 59-124-83-212.HINET-IP.hinet.net anywhere
DROP all -- 59.4.242.10 anywhere
DROP all -- 59.77.7.227 anywhere
DROP all -- 60.12.128.147 anywhere
DROP all -- 60-250-141-250.HINET-IP.hinet.net anywhere
DROP all -- 61-220-49-122.HINET-IP.hinet.net anywhere
DROP all -- 61.235.155.20 anywhere
DROP all -- 61.43.153.30 anywhere
DROP all -- ip-62-143-255-133.reserved.ish.de anywhere
DROP all -- 63-253-2-196.ip.mcleodusa.net anywhere
DROP all -- 66-195-205-25.static.twtelecom.net anywhere
DROP all -- dsl092-076-150.bos1.dsl.speakeasy.net anywhere
DROP all -- 70-229-145-61.meijerservice.com anywhere
DROP all -- static-71-116-213-124.lsanca.dsl-w.verizon.net anywhere
DROP all -- ns1.dnsyes.net anywhere
DROP all -- eom166.internetdsl.tpnet.pl anywhere
DROP all -- vpnpool-231-182.users.mns.ru anywhere
DROP all -- muses.nodens.net anywhere
DROP all -- 210.3.38.157 anywhere
DROP all -- 211.200.44.249 anywhere
DROP all -- 211.223.156.192 anywhere
DROP all -- 219.235.231.105 anywhere
DROP all -- abp.pl anywhere
DROP all -- 211.115.89.188 anywhere
DROP all -- 70.102.115.234 anywhere
DROP all -- 72.54.107.236 anywhere
DROP all -- 203.240.201.237 anywhere
DROP all -- 118.253.88.202.asianet.co.in anywhere
DROP all -- 58.56.106.248 anywhere
DROP all -- fgv18.internetdsl.tpnet.pl anywhere
DROP all -- 220.231.54.232 anywhere
DROP all -- cym90.internetdsl.tpnet.pl anywhere
DROP all -- 219.148.157.210 anywhere
DROP all -- 189.122.154.61.broad.qz.fj.dynamic.163data.com.cn anywhere
DROP all -- customer-201-134-187-218.uninet-ide.com.mx anywhere
DROP all -- 202.108.212.163 anywhere
DROP all -- 202.108.87.10 anywhere
DROP all -- 221.130.177.59 anywhere
DROP all -- server2.rjo.virtua.com.br anywhere
DROP all -- 218.83.152.50 anywhere
DROP all -- 70-88-93-17-lansing-mi.hfc.comcastbusiness.net anywhere
DROP all -- 12.173.116.50 anywhere
DROP all -- customer-200-81-199-71.millicom.com.ar anywhere
DROP all -- 210.17.150.177 anywhere
DROP all -- 209-6-223-189.c3-0.wtr-ubr1.sbo-wtr.ma.cable.rcn.com
anywhere
DROP all -- 218.247.185.206 anywhere
DROP all -- 87.226.11.35 anywhere
DROP all -- 203.193.45.151 anywhere
DROP all -- 202.105.176.22 anywhere
DROP all -- 210.83.203.111 anywhere
DROP all -- 222.90.77.158 anywhere
DROP all -- 121.150.30.52 anywhere
DROP all -- c906675f.static.spo.virtua.com.br anywhere
DROP all -- 60-248-93-170.HINET-IP.hinet.net anywhere
DROP all -- h-64-236-205-90.unassigned.aoltw.net anywhere
DROP all -- 203.187.161.39 anywhere
DROP all -- 220-132-113-163.HINET-IP.hinet.net anywhere
DROP all -- www.iworldpro.com anywhere
DROP all -- 219.117.239.250.static.zoot.jp anywhere
DROP all -- 222.39.47.92 anywhere
DROP all -- sm-217-129-216-233.netvisao.pt anywhere
DROP all -- 222.90.206.62 anywhere
DROP all -- 80.67.152.34 anywhere
DROP all -- networks102.globalservers.com anywhere
DROP all -- not.in.use anywhere
DROP all -- 220-133-118-28.HINET-IP.hinet.net anywhere
DROP all -- ip207-101-246-7.z246-101-207.customer.algx.net anywhere
DROP all -- whale023.dsl.surfnet.fi anywhere
DROP all -- 61-219-188-112.HINET-IP.hinet.net anywhere
DROP all -- static-66-16-5-251.t1.cavtel.net anywhere
DROP all -- 219.117.237.213.static.zoot.jp anywhere
DROP all -- 202.182.57.132 anywhere
DROP all -- 211.137.76.105 anywhere
DROP all -- 218.1.64.232 anywhere
DROP all -- fc41498.aspadmin.net anywhere
DROP all -- sm1.fasenetwork.com.br anywhere
DROP all -- mail.nationalsecurities.com anywhere
DROP all -- 210.107.209.205 anywhere
DROP all -- 210.77.188.253 anywhere
DROP all -- Static-IP-cr2007134164.cable.net.co anywhere
DROP all -- 202.143.162.102 anywhere
DROP all -- 211.233.81.87 anywhere
DROP all -- cpe.atm2-0-72203.0x5730edb2.virnxx18.customer.tele.dk
anywhere
DROP all -- 202.162.12.2 anywhere
DROP all -- 203.129.224.131 anywhere
DROP all -- 219.239.188.57 anywhere
DROP all -- 124.42.108.188 anywhere
DROP all -- 210.0.221.137 anywhere
DROP all -- 61.19.148.158 anywhere
DROP all -- 122.153.228.4 anywhere
DROP all -- 87.72.129.79 anywhere
DROP all -- 211.157.100.138 anywhere
DROP all -- 210.188.216.78 anywhere
DROP all -- 221.3.151.91 anywhere
DROP all -- 129.241.187.182 anywhere
DROP all -- 211.198.225.182 anywhere
DROP all -- ns.tulipplus.net anywhere
DROP all -- 222.45.212.62 anywhere
DROP all -- 142.23.178.61.dail.lz.gs.dynamic.163data.com.cn anywhere
DROP all -- 124.1.149.222 anywhere
DROP all -- 161.53.93.138 anywhere
DROP all -- 74-140-197-129.dhcp.insightbb.com anywhere
DROP all -- xxxdnn0006.locaweb.com.br anywhere
DROP all -- ns2.tttmaxnet.com anywhere
DROP all -- ls308.bottomline.jp anywhere
DROP all -- 222.239.73.4 anywhere
DROP all -- 61.108.140.130 anywhere
DROP all -- vgw301334.qcol.net anywhere
DROP all -- c951f45a.virtua.com.br anywhere
DROP all -- ns.sugikoho.jp anywhere
DROP all -- 219.117.206.118.static.zoot.jp anywhere
DROP all -- 122x214x29x173.ap122.ftth.ucom.ne.jp anywhere
DROP all -- 218.98.189.149 anywhere
DROP all -- 69.94.137.156 anywhere
DROP all -- host-88-217-139-14.customer.m-online.net anywhere
DROP all -- 210.75.200.104 anywhere
DROP all -- 121.146.233.200 anywhere
DROP all -- ns.dnsworkz.net anywhere
DROP all -- 121.143.193.230 anywhere
DROP all -- 221.6.6.137 anywhere
DROP all -- rhea.brandsformecentral.com anywhere
DROP all -- 140.128.123.7 anywhere
DROP all -- 60.31.211.7 anywhere
DROP all -- 202.106.62.52 anywhere
DROP all -- fdstudio.hayama-machi.info anywhere
DROP all -- 220.200.164.142 anywhere
DROP all -- 58.29.243.130 anywhere
DROP all -- 59.106.18.14 anywhere
DROP all -- 210.188.218.15 anywhere
DROP all -- 212.0.130.250 anywhere
DROP all -- 222.237.79.139 anywhere
DROP all -- bbs-13-143-0-210.on-nets.com anywhere
DROP all -- 211.169.249.241 anywhere
DROP all -- webex5.ihello.com anywhere
DROP all -- 210.3.15.245 anywhere
DROP all -- 218.62.44.90 anywhere
DROP all -- ns.gcdtech.com anywhere
DROP all -- 218.236.84.83 anywhere
DROP all -- 82.109.186.90 anywhere
DROP all -- ev1s-67-15-193-171.ev1servers.net anywhere
DROP all -- 222.35.40.94 anywhere
DROP all -- Static-IP-cr200713953.cable.net.co anywhere
DROP all -- 125.251.21.2 anywhere
DROP all -- 222.73.104.204 anywhere
DROP all -- 211.182.195.2 anywhere
DROP all -- dsl-189-133-81-222.prod-infinitum.com.mx anywhere
DROP all -- 211.157.113.206 anywhere
DROP all -- 218.21.215.20 anywhere
DROP all -- mail.cortexlaser.fr anywhere
DROP all -- 218.59.169.116 anywhere
DROP all -- 69.94.134.156 anywhere
DROP all -- softbank219055108002.bbtec.net anywhere
DROP all -- 218.204.244.157 anywhere
DROP all -- 129.217.219.198 anywhere
DROP all -- 140.137.37.208 anywhere
DROP all -- 210.92.201.91 anywhere
DROP all -- 219.224.99.234 anywhere
DROP all -- mail2.fcsltd.com anywhere
DROP all -- 211.154.164.109 anywhere
DROP all -- 217.199.120.102 anywhere
DROP all -- 210.192.102.113-BJ-CNC anywhere
DROP all -- afu166.internetdsl.tpnet.pl anywhere
DROP all -- 222.234.3.77 anywhere
DROP all -- 125.248.86.5 anywhere
DROP all -- 218.189.194.200 anywhere
DROP all -- 211.141.87.194 anywhere
DROP all -- cvrepre.cyberfuel.com anywhere
DROP all -- 203.177.52.4 anywhere
DROP all -- 210.22.63.33 anywhere
DROP all -- 210.3.10.184 anywhere
DROP all -- 120.65.153.219.broad.cq.cq.dynamic.163data.com.cn anywhere
DROP all -- 221.12.113.236 anywhere
DROP all -- 222.161.57.93 anywhere
DROP all -- 60.212.128.251 anywhere
DROP all -- ip68-5-15-164.oc.oc.cox.net anywhere
DROP all -- 59.53.97.38 anywhere
DROP all -- 202.101.187.102 anywhere
DROP all -- 218.30.5.15 anywhere
DROP all -- pushmail.enumber.com.tw anywhere
DROP all -- 202.30.178.102 anywhere
DROP all -- choutoku.togawa.cs.waseda.ac.jp anywhere
DROP all -- 202.82.82.134 anywhere
DROP all -- ariadna.ar.lublin.pl anywhere
DROP all -- 218.26.32.246 anywhere
DROP all -- 202.143.152.85 anywhere
DROP all -- 220.196.27.134 anywhere
DROP all -- CGM1.CGMarketer.com anywhere
DROP all -- 222.234.3.25 anywhere
DROP all -- 210.17.229.155 anywhere
DROP all -- neo.be.priorweb.net anywhere
DROP all -- 61.232.12.74 anywhere
DROP all -- 211.189.39.168 anywhere
DROP all -- 128-124-196-200.linkexpress.com.br anywhere
DROP all -- vivio.treda.com.tr anywhere
DROP all -- 210.83.208.155 anywhere
DROP all -- 210.0.200.182 anywhere
DROP all -- cpanelx9.fuitadnet.com anywhere
DROP all -- mail.guyline.com.hk anywhere
DROP all -- 210.22.83.60 anywhere
DROP all -- port-83-236-170-229.static.qsc.de anywhere
DROP all -- 220.248.40.13 anywhere
DROP all -- 63.245.8.139.cstmr.multidatahn.net anywhere
DROP all -- 211.233.12.45 anywhere
DROP all -- archived-dms.boca.verio.net anywhere
DROP all -- ns1.dynacraft.com anywhere
DROP all -- 58.62.223.126 anywhere
DROP all -- host87-227-149-62.serverdedicati.aruba.it anywhere
DROP all -- 222.66.120.18 anywhere
DROP all -- 70-90-160-236-BusName-sfba.hfc.comcastbusiness.net anywhere
DROP all -- mail.oricom.de anywhere
DROP all -- static-ip-62-75-252-71.inaddr.intergenia.de anywhere
DROP all -- 220.149.168.95 anywhere
DROP all -- host131-130-static.59-217-b.business.telecomitalia.it
anywhere
DROP all -- 211.217.221.39 anywhere
DROP all -- kcn.res.kutc.kansai-u.ac.jp anywhere
DROP all -- 61.152.169.150 anywhere
DROP all -- 221.204.247.38 anywhere
DROP all -- 63-239-46-34.dia.static.qwest.net anywhere
DROP all -- 211.221.225.77 anywhere
DROP all -- 213.19.163.35 anywhere
DROP all -- 59-124-44-34.HINET-IP.hinet.net anywhere
DROP all -- 211.151.94.130 anywhere
DROP all -- 190.9-128-80.static.cantv.net.128.9.190.in-addr.arpa
anywhere
DROP all -- 61.150.115.178 anywhere
DROP all -- 69.46.24.36 anywhere
DROP all -- ip3.lrdgportal.com anywhere
DROP all -- ns.mx-net.cz anywhere
DROP all -- ns23119.ovh.net anywhere
DROP all -- pascal.iseg.utl.pt anywhere
DROP all -- 70-127.146.82.priorweb.be anywhere
DROP all -- 65.210.160.161 anywhere
DROP all -- server4.rudolph-edv.de anywhere
DROP all -- 38.103.54.61 anywhere
DROP all -- 66.103.158.6 anywhere
DROP all -- LL-220-228-49-49.LL.sparqnet.net anywhere
DROP all -- 210006141045.ctinets.com anywhere
DROP all -- 202.64.220.133 anywhere
DROP all -- bbs-37-143-0-210.on-nets.com anywhere
DROP all -- 218.249.60.66 anywhere
DROP all -- 219.239.24.34 anywhere
DROP all -- 207.234.184.235 anywhere
DROP all -- 210.188.206.110 anywhere
DROP all -- sd-6157.dedibox.fr anywhere
DROP all -- 211.137.167.92 anywhere
DROP all -- 202.155.247.51 anywhere
DROP all -- 222.33.64.150 anywhere
DROP all -- www.iota-beta.com anywhere
DROP all -- wtuglobal.org anywhere
DROP all -- 65.19.134.242 anywhere
DROP all -- mralasdairstewart.fbyne.com anywhere
DROP all -- 210.188.207.136 anywhere
DROP all -- andyc2323.com anywhere
DROP all -- 195.230.5.45 anywhere
DROP all -- 211.176.61.119 anywhere
DROP all -- mail.tritonpublic.co.yu anywhere
DROP all -- vl656.host242.netvision.net.il anywhere
DROP all -- host-92.pl107820.fiber.net anywhere
DROP all -- 59.188.8.60 anywhere
DROP all -- del-static-229-88-7-210.direct.net.in anywhere
DROP all -- 65.214.140.25 anywhere
DROP all -- inside9.com anywhere
DROP all -- egress-del1.induslogic.com anywhere
DROP all -- 211.137.210.230 anywhere
DROP all -- firewall2.vti.at anywhere
DROP all -- c-69-143-147-220.hsd1.md.comcast.net anywhere
DROP all -- www.linfairrecords.com anywhere
DROP all -- 222.40.20.172 anywhere
DROP all -- 195.69.169.30 anywhere
DROP all -- 203.255.39.14 anywhere
DROP all -- mail.abatement.com anywhere
DROP all -- rrcs-70-61-233-69.central.biz.rr.com anywhere
DROP all -- 211.234.100.202 anywhere
DROP all -- 210.53.138.162 anywhere
DROP all -- dl.ablam.org.br anywhere
DROP all -- 222.90.73.206 anywhere
DROP all -- pc-17-65-104-200.cm.vtr.net anywhere
DROP all -- 219.235.231.113 anywhere
DROP all -- nc0106.jnn.ru anywhere
DROP all -- 211.95.73.162 anywhere
DROP all -- 59.50.76.50 anywhere
DROP all -- 216.191.174.126 anywhere
DROP all -- mail.y17.com.tw anywhere
DROP all -- t1000-01.r-g-b.de anywhere
DROP all -- 67.41.255.150 anywhere
DROP all -- ns21845.ovh.net anywhere
DROP all -- 61-250-194-245.rev.krline.net anywhere
DROP all -- . anywhere
DROP all -- 220.194.52.167 anywhere
DROP all -- 210.34.7.115 anywhere
DROP all -- 60-248-109-41.HINET-IP.hinet.net anywhere
DROP all -- 210.87.136.171 anywhere
DROP all -- 202.85.169.26 anywhere
DROP all -- 125.206.195.72 anywhere
DROP all -- shimokita.jp.toyota-itc.com anywhere
DROP all -- creamshop.co.kr anywhere
DROP all -- 140.109.73.31 anywhere
DROP all -- 208.78.145.103 anywhere
DROP all -- localhost anywhere
DROP all -- 210.5.3.3 anywhere
DROP all -- 210.222.241.117 anywhere
DROP all -- 61-121-213-43.bitcat.net anywhere
DROP all -- 210.0.215.71 anywhere
DROP all -- 59.74.112.9 anywhere
DROP all -- adam.p2p-paradies.com anywhere
DROP all -- 82.96.17.228.dyn.rp80.se anywhere
DROP all -- 207.59.179.170 anywhere
DROP all -- 209.126.173.249 anywhere
DROP all -- 59-106-23-199.r-bl100.sakura.ne.jp anywhere
DROP all -- 58.102.151.119 anywhere
DROP all -- bny92-2-82-66-112-98.fbx.proxad.net anywhere
DROP all -- dsl-201-122-43-220.prod-empresarial.com.mx anywhere
DROP all -- 81.26.214.7 anywhere
DROP all -- 85.249.140.50.addr.datapoint.ru anywhere
DROP all -- 202.228.238.158 anywhere
DROP all -- jinch.com.tw anywhere
DROP all -- 216.120.198.28 anywhere
DROP all -- vz18.securehostserver.com anywhere
DROP all -- 222.122.47.221 anywhere
DROP all -- net136-222.paichai.ac.kr anywhere
DROP all -- 61.243.47.34 anywhere
DROP all -- 218.96.252.76 anywhere
DROP all -- 81.202.58.143.dyn.user.ono.com anywhere
DROP all -- 61-30-102-22.static.tfn.net.tw anywhere
DROP all -- 220.71.64.47 anywhere
DROP all -- usamvb-fo.b.astral.ro anywhere
DROP all -- altatec.propagation.net anywhere
DROP all -- 211.233.14.45 anywhere
DROP all -- 211.139.127.82 anywhere
DROP all -- n220246043234.netvigator.com anywhere
DROP all -- 203.252.164.67 anywhere
DROP all -- dsl-189-172-77-178.prod-infinitum.com.mx anywhere
DROP all -- s162.csie.stu.edu.tw anywhere
DROP all -- bee.tnfsh.tn.edu.tw anywhere
DROP all -- 222.112.230.71 anywhere
DROP all -- 202.60.72.204 anywhere
DROP all -- 211.169.132.162 anywhere
DROP all -- 210.184.131.190 anywhere
DROP all -- 221.1.80.94 anywhere
DROP all -- 200-35-71-115.static.telcel.net.ve anywhere
DROP all -- horacio.nce.ufrj.br anywhere
DROP all -- 209.177.149.155 anywhere
DROP all -- 125.246.51.194 anywhere
DROP all -- 210.51.191.175 anywhere
DROP all -- 210.212.173.38 anywhere
DROP all -- 89.186.169.162 anywhere
DROP all -- 60-248-4-188.HINET-IP.hinet.net anywhere
DROP all -- 219.254.35.183 anywhere
DROP all -- 203-217-10-208.perm.iinet.net.au anywhere
DROP all -- 220.64.113.125 anywhere
DROP all -- 65.205.238.12 anywhere
DROP all -- 202.39.224.102 anywhere
DROP all -- 210.53.131.12 anywhere
DROP all -- empirehost03.empirehost.com anywhere
DROP all -- bexi.goatse.fi anywhere
DROP all -- df.modeemi.cs.tut.fi anywhere
DROP all -- 122.17.219.209.transedge.com anywhere
DROP all -- 221.4.117.79 anywhere
DROP all -- fu-159-92.edit.ne.jp anywhere
DROP all -- r3ak254.net.upc.cz anywhere
DROP all -- 222.231.47.7 anywhere
DROP all -- 221.242.85.35 anywhere
DROP all -- ns2.spade.cc anywhere
DROP all -- 125.240.247.3 anywhere
DROP all -- 210.151.26.171 anywhere
DROP all -- p234.pis.com.au anywhere
DROP all -- 219.127.146.71 anywhere
DROP all -- secure.e-studio.com.au anywhere
DROP all -- u15224939.onlinehome-server.com anywhere
DROP all -- ladyheather.pcgal.com anywhere
DROP all -- 218.21.226.163 anywhere
DROP all -- 218.189.192.194 anywhere
DROP all -- 192.207.64.108 anywhere
DROP all -- webhosting3.ffni.com anywhere
DROP all -- rh9.sangwan.com anywhere
DROP all -- 211.119.136.152 anywhere
DROP all -- 211.157.36.45 anywhere
DROP all -- 210.94.6.89 anywhere
DROP all -- 67.151.206.62 anywhere
DROP all -- r18navi.com anywhere
DROP all -- 221.9.167.195 anywhere
DROP all -- 38.103.145.186 anywhere
DROP all -- dns.comvers.de anywhere
DROP all -- antun.erf.hr anywhere
DROP all -- 212.12.186.171 anywhere
DROP all -- 207-36-180-208.ptr.primarydns.com anywhere
DROP all -- 148.204.196.195 anywhere
DROP all -- bunkou-mc.eng.hokudai.ac.jp anywhere
DROP all -- bin86.ee.ccu.edu.tw anywhere
DROP all -- 193.194.69.49 anywhere
DROP all -- host202-187-static.206-80-b.business.telecomitalia.it
anywhere
DROP all -- frank.shosting.sonitar.hu anywhere
DROP all -- 220.232.207.254 anywhere
DROP all -- ev1s-66-98-220-29.ev1servers.net anywhere
DROP all -- 210.150.118.90 anywhere
DROP all -- 72.32.11.232 anywhere
DROP all -- 193.87.167.19 anywhere
DROP all -- cmsl45.speech.cm.nctu.edu.tw anywhere
DROP all -- orpbus.com anywhere
DROP all -- 80.81.67.10 anywhere
DROP all -- 221.207.232.135 anywhere
DROP all -- 220-132-167-253.HINET-IP.hinet.net anywhere
DROP all -- 218.1.73.216 anywhere
DROP all -- 66.240.202.57 anywhere
DROP all -- 61.136.58.249 anywhere
DROP all -- 210.114.221.174 anywhere
DROP all -- 202.123.213.4 anywhere
DROP all -- 66.240.221.8 anywhere
DROP all -- comnet-noc-8.bright.net anywhere
DROP all -- mss01.s-solution.jp anywhere
DROP all -- 202.33.250.13 anywhere
DROP all -- www.theoutdoorwire.com anywhere
DROP all -- 218.216.194.113 anywhere
DROP all -- light-works.co.jp anywhere
DROP all -- pd5fe76.tokyff01.ap.so-net.ne.jp anywhere
DROP all -- 210.71.186.109 anywhere
DROP all -- 59.37.63.162 anywhere
DROP all -- 61-195-147-210.cust.bit-drive.ne.jp anywhere
DROP all -- 222.53.17.117 anywhere
DROP all -- mth.webcy.com anywhere
DROP all -- zimbra.ultraserve.net.au anywhere
DROP all -- 220.90.213.33 anywhere
DROP all -- 211.157.109.163 anywhere
DROP all -- w135205.ppp.asahi-net.or.jp anywhere
DROP all -- www.quant-ph.cst.nihon-u.ac.jp anywhere
ACCEPT all -- anywhere anywhere state RELATED,
ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:
ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:
smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:
http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:
ftp
REJECT all -- anywhere anywhere reject-with icmp-
host-prohibited
[root@springboard shinnai]#
|
- このリスト表示方法では,IPアドレスをDNSに問い合わせに行くので,非常に時間がかかる.
- iptablesコマンドに-Lオプションをつけ,さらにDNS問い合わせしない-nオプションをつけて表示すると,高速表示となる.
[root@springboard shinnai]# /sbin/iptables -L RH-Firewall-1-INPUT -n --line-number
Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
5 DROP all -- 202.213.254.118 0.0.0.0/0
6 DROP all -- 125.206.111.101 0.0.0.0/0
7 DROP all -- 218.249.60.87 0.0.0.0/0
8 DROP all -- 218.91.233.19 0.0.0.0/0
9 DROP all -- 221.15.37.58 0.0.0.0/0
10 DROP all -- 221.238.133.134 0.0.0.0/0
11 DROP all -- 80.108.128.198 0.0.0.0/0
〜略〜
788 DROP all -- 125.206.111.101 0.0.0.0/0
789 DROP all -- 202.213.254.118 0.0.0.0/0
790 DROP all -- 210.71.186.109 0.0.0.0/0
791 DROP all -- 59.37.63.162 0.0.0.0/0
792 DROP all -- 61.195.147.210 0.0.0.0/0
793 DROP all -- 222.53.17.117 0.0.0.0/0
794 DROP all -- 64.246.60.59 0.0.0.0/0
795 DROP all -- 203.145.39.66 0.0.0.0/0
796 DROP all -- 220.90.213.33 0.0.0.0/0
797 DROP all -- 211.157.109.163 0.0.0.0/0
798 DROP all -- 121.1.135.205 0.0.0.0/0
799 DROP all -- 133.43.96.2 0.0.0.0/0
800 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
801 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
802 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
803 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
804 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
805 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-pro
hibited
[root@springboard shinnai]#
|
5.シェルの自動実行
- 先に作成したBruteForceFW.shプログラムを,定期的に実行する事で不正アクセスを防ぐ事ができる.
- 定期的に実行するという事だと,crontabへの登録が考えられるが,最短間隔が1分なので,1分間は不正な攻撃を許してしまう事になる.
- 1分間もあれば複数回攻撃できるので,これでは遅い.
- よって,Swatchを使ってsecureログが更新されたら,それを検出してBruteForceFW.shを実行する様に設定する.
- まずは,Swatchの設定ファイルを確認する.
[root@springboard shinnai]# cat /root/swatch.txt
watchfor /Failed password|Illegal user/
exec /usr/bin/BruteForceFW.sh
[root@springboard shinnai]#
|
- この場合,指定されたログファイルに,Failed passwordかIllegal userが記録されたら,BruteForceFW.shが実行されると定義されている.
- swatchを次のようなコマンドで実行する.
/usr/bin/swatch -c /root/swatch.txt -t /var/log/secure &
|
[root@springboard shinnai]# ps -ef | grep swatch
root 7439 1 0 Nov02 ? 00:00:00 /usr/bin/perl /usr/bin/swatch -c /root/swat
ch.txt -t /var/log/secure
root 26961 7439 0 Nov04 ? 00:00:00 /usr/bin/perl /root/.swatch_script.7439
root 21913 21605 0 11:0
|
- これで不正侵入の試みが発生する都度,シェルが動作するようになる.
6.syslogのスイッチに対応
- syslogは,設定したタイミングで,ログのローテーションが行われる.
- RedHat Linux ES3の場合,syslogは毎週日曜日早朝となっている.
- swatchは,ログスイッチが行われても検知できないので,ログスイッチが行われたら,swatchを再起動する必要が在る.
- まず,syslogのローテーションを実施する設定を確認する.
[root@springboard shinnai]# cd /etc/logrotate.d/
[root@springboard logrotate.d]# ls -1
apache1
cups
mailman
mgetty
mysql
named
psacct
quagga
radiusd
redhat-config-network
rpm
samba
snmpd
squid
syslog
tux
up2date
uucp
vsftpd.log
[root@springboard logrotate.d]#
|
[root@springboard logrotate.d]# cat syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/dev/null || true
endscript
}
[root@springboard logrotate.d]#
|
- secureログが対象となっているで,ここで,swatchにもシグナルを送るように,以下のように設定する.
[root@springboard logrotate.d]# cat syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `ps -ax|grep swatch.txt|grep -v grep|awk '{print$1}' 2> /dev/null` 2>
/dev/null || true
endscript
}
[root@springboard logrotate.d]#
|