Country IP Lists

I put together a simple query page on my site that will list all the IP addresses of a given country.

The list can be used in programs like PeerBlock or within iptables (or ipset) to block whole countries from accessing a system. I currently use iptables/ipset (ipset thanks to a suggestion by Jasper) on my firewalls but used to run PeerBlock as a service protecting Windows systems. These lists allow me to select whole countries, such as China, and deny their access to my systems.

The current list of countries I am blocking is here. Sorry to all of the legitimate users from those countries, but the other guys just don’t make it worth my while to allow access. Go yell at them.

I also maintain a list of individuals that have attempted to break in using ssh. These hackers actively try to guess account and password combinations to gain illegal access to my systems. Sadly, all they do is populate my honeypot with a record of what they try. The data is automatically gathered and the list is available on this page.

What became apparent very quickly from that list was that China far and above any other country was responsible for the vast majority of the break-in attempts. Other countries, like the Russian Federation, Taiwan, Brazil and a few others followed quite a bit behind.

Even though I adore these countries, have traveled to China personally and respect their ancient and colorful traditions, the lack of respect and accountability shown by the people of China, the Russian Federation and others results in their just not being allowed to access my system anymore. And it’s not like getting access to my random blog posts is really worth their effort either.

Note: if you know the two letter country code (which you can get using the above pull-down list) then you can call my function directly to obtain the list of IP addresses for one country. For example, to obtain the list for Australia, you could use

Also I offer this as a courtesy service. The server is not that fast, so please do not thrash it or otherwise overload the server or else I might be forced to look into moving the service somewhere else (or worse, if it is getting thrashed, I might need to turn it off or block the IP address in question……)

Enjoy!

Bookmark the permalink.

6 Comments

  1. Hello,
    Can you please tell me the best way to block all country’s except the Netherlands? Is there a list to block the whole world so that I can then allow the Netherlands list and a few other ip’s?

    • The approach here would be to setup the desired block software to block everyone, except IP addresses for the desired country, and all local non-routable addresses as needed:

      class A reserved space 10.0.0.0/8
      class B reserved space 172.16.0.0/12
      class C reserved space 192.168.0.0/16
      class E reserved for research 240.0.0.0

      and you might need the localhost 127.0.0.0 addresses depending upon the blocking software used.
      If you block the local and non-routable addresses, then any possible internal IP access to your system would be blocked as well.

      I’ve moved my system away from Windows to a linux server using iptables for performance reasons (my old Windows server running mysql, IIS and Exchange was buckling under the load – now it runs mysql, apache and samba/postfix/dovecot and it couldn’t be happier).

      If creating a series of iptables rules, make sure to add the ALLOW rules first, then add the BLOCK rules later, such as:

      iptables -N xxx # create a new chain
      iptables -A xxx -m iprange –src-range 1.2.3.0-1.2.3.254 -j ACCEPT
      iptables -A xxx -m iprange –src-range 127.0.0.0-127.0.0.254 -j ACCEPT
      etc.
      iptables -A xxx -j DROP # drop everyone else
      iptables -I INPUT -m tcp -p tcp –dport 80 -j xxx # use chain xxx for packets coming to TCP port 80

      The src-range values would represent each range of IPs you wish to allow. As such, only use ones for the Netherlands as well as the non-routable ones (if needed).

  2. Thanks for this info. I use Peerblock. To block everything should be done by making a list myself with the range 0.0.0.0 – 255.255.255.255 and then put in the allow lists. Right?
    I know that there are more options available in Linux. My ideal situation would be to block rdp brute force attackers ip addresses automaticly after five login attempts. I know this is possible in Linux but I have not found anything for Windows. Only a vb script that searches through the event logs and then blocks the ip addresses that have tried to login to many times. Not ideal.

  3. This site of yours is super. Is of big use to me for PeerBlock. Will the site remain available the coming years? I use your dynamic list service. But I’m wondering if I should download all the country lists.

    • Good questions. My intention is to keep my site up as I use it for numerous purposes including remote access from travel locations and mail aggregation. Of course that said, it is always possible that I could get hit by a truck or California could disappear into the ocean with an earthquake at any time.

      To that end, I am also happy to explain how I get my data such that anyone else can make use of the same kind of service.

      For example, the source of the IP information I use is from Maxmind, specifically located at http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip. If you pay for a subscription it gets updated quite frequently. If you do not pay and rely on the free service, then the updates are less frequent. Either way, they provide a great service.

      From their zip file the list of IP ranges per country are available, such as:

      “1.4.1.0″,”1.4.127.255″,”17039616″,”17072127″,”CN”,”China”

      On a regular basis I download this data and store it in a MySQL database, basically having a table of countries that contains an ID, short name and full name, and also a table of IP addresses that store each of the ranges and points to the country table.

      Once these values are in the database, I can easily make SQL queries to extract whole lists of IP addresses given a particular country. The results are then formatted into the required structure, whether that be a Peerblock format or an iptables format.

      In addition I also collect each and every access that is blocked by my server for purpose of generating statistics. When I ran a Windows server I parsed the Peerblock and IIS logs. On my Linux system I now simply process the /var/log/firewall and /var/log/secure files. The firewall file contains the list of access attempts blocked by iptables (used for statistics). The secure file is more interesting as it compiles the list of morons attempting ssh attacks (used for statistics and adding new IP addresses to the block list). Needless to say, the script kiddies have yet to realize I only use private key access for ssh and there is no such account as root :-)

      I also have processes that sweep the /var/log/httpd log files looking for phpmyadmin accesses (of which I have none, but it does not stop morons from trying) and other illegal web accesses.

      I automated the processes for parsing all of the above files as well. So my server pretty much can run hands free. Occasionally it does blacklist accesses that are legitimate by mistake. This happened recently when one of my systems clock died and the ntp requests to readjust the time became somewhat over zealous. But I scan the block results occasionally and have scripts to remove blocked IP addresses from the database just in case.

      So if my service is useful and can help then I am happy to keep it going as long as I can. If however you want to set up your own processes, then I’m happy to help out that way as much as I can as well. Either way, I want to empower people with how to fight back. I personally feel that unwarranted attempts to access my systems are akin to a war against my property and my information. The media in the US has just recently started reporting on the “new” phenomenon of Cyber warfare here in the US. Well they are too little too late. The cyber warfare started years ago and mostly runs unchecked. Countries with many talented yet idle people have been honing their hacking skills for years yet we only now hear from the media in the US about dealing with this as a real threat.

      I personally feel that detecting these intrusions, how to deal with them and how to launch your own attacks should be core curriculum for all computer science programs. I do not view this as launching a league of armed morons loose onto the Internet but rather empowering people with knowledge about what the threat is and how to deal with it.

      Plus it might stop people from creating servers with no security and weak root access passwords :-)

      Cheers,

      Darren

  4. Also as to the event parsing. In Windows it is possible to associate a process with an event that starts when the event fires. That way you do not need to scan the log files on a regular basis but instead you can launch a process when the event fires directly.

    An issue with this though is when script kiddies hit your server hard you do not want thousands of instances of the same process starting all at once.

    So make sure if you fire up a process in this way, check if the process is already running before continuing. One method in many scripts is to attempt to open the script itself with exclusive read/write permissions. That way additional open attempts of the same script at the same time will fail since the additional copies cannot open themselves exclusively. Once the primary copy that succeeded in the exclusive open request completes and closes, the exclusive open lock is removed allowing additional copies of the script to start.

    The script itself could then analyze the log file and check for X number of attempts of a certain type within say the previous minute, and if X is greater than 5, add the IP address to a blocklist.

    This event association with a process is actually one of the things I miss about running these services on Windows :-) It was a nice feature.

    Cheers,

    Darren

Leave a Reply