How to block all IPs from specific domain?

Post Reply
rolinger
Junior Member
Posts: 13
Joined: 14 Feb 2017, 04:15

How to block all IPs from specific domain?

Post by rolinger »

One would think this would be easy but apparently its not...or its not possible.

I need to block ALL IPs from a specific domain, the problem is the domain has hundreds of IP CIDRs and its virtually impossible to block them all from standard IP deny lists - as well, about every 2 to 3 months, they seem to add on new ones. My server is taking on more and more vulnerability scans from this domain - almost 100 in the last 4 weeks and it just seems to be increasing every week. CSF is denying them after 5 connect failures....but that is reactive blocking, I want to do proactive blocking. Its a service vendor cloud, and as such there are NO end users originating from this cloud - only services running on cloud servers. I do no business with this cloud or have any vendors I do business with coming from this cloud that are not already in my IP Permit list.

But how do you block any/all IPs coming from a specific domain?
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: How to block all IPs from specific domain?

Post by Sergio »

You can create a rule and add it to /usr/local/csf/bin/

If you can provide a log line from a recent attack, write it here and I will help you to create the CSF rule needed or an Spamassasin rulte for the same.

Sergio
rolinger
Junior Member
Posts: 13
Joined: 14 Feb 2017, 04:15

Re: How to block all IPs from specific domain?

Post by rolinger »

@Sergio Hi, thanks for assisting. Here is an example of the vulnerability scan logs - I have dozens and dozens of the same log entries all from different IPs; but ALL from the same domain. IE: amazoneaws.com

Code: Select all

Time:     Tue Jul 18 07:54:53 2023 -0400
IP:       34.223.64.89 (US/United States/ec2-34-223-64-89.us-west-2.compute.amazonaws.com)
Failures: 5 (cpanel)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_CPANEL]

Log entries:

[2023-07-18 07:54:12 -0400] info [cpaneld] 34.223.64.89 - - "OPTIONS /openid_connect/ HTTP/1.1" FAILED LOGIN cpaneld: openid connect: 'cpaneld' provider '' encountered an error: (XID wzm4yf) Provide the “provider” parameter for the “Cpanel::Validate::AuthProvider::check_provider_name_or_die” function.
[2023-07-18 07:54:42 -0400] info [webmaild] 34.223.64.89 - - "GET /openid_connect/news.mdb HTTP/1.1" FAILED LOGIN webmaild: openid connect: 'webmaild' provider 'news.mdb' encountered an error: (XID nzj3v6) The requested provider “news.mdb” is not valid.
[2023-07-18 07:54:43 -0400] info [webmaild] 34.223.64.89 - - "GET /openid_connect/zml.cgi?file=../../../../../../../../../../../../etc/passwd%00 HTTP/1.1" FAILED LOGIN webmaild: openid connect: 'webmaild' provider 'zml.cgi' encountered an error: (XID cmgmzf) The requested provider “zml.cgi” is not valid.
[2023-07-18 07:54:51 -0400] info [whostmgrd] 34.223.64.89 - - "GET /openid_connect/zml.cgi?file=../../../../../../../../../../../../etc/passwd%00 HTTP/1.1" FAILED LOGIN whostmgrd: openid connect: 'whostmgrd' provider 'zml.cgi' encountered an error: (XID 86rwqs) The requested provider “zml.cgi” is not valid.
[2023-07-18 07:54:52 -0400] info [webmaild] 34.223.64.89 - 4VUhray3wq "POST /login/ HTTP/1.1" FAILED LOGIN webmaild: invalid user name specified
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: How to block all IPs from specific domain?

Post by Sergio »

@rolinger,
the provided log lines can't help to block the IP at the first attempt, they are shown only when the IP has been blocked after (in your case) 5 failures.
So,
in your CSF go to to "Search System Logs" and select /var/log/messages and do a search for the IP 34.223.64.89 and give me some lines that will be shown in there, thanks.

Sergio
rolinger
Junior Member
Posts: 13
Joined: 14 Feb 2017, 04:15

Re: How to block all IPs from specific domain?

Post by rolinger »

@Sergio - here is another IP from the same domain that has been blocked. There are hundreds of similar lines, so I copied all the ones that were different from each other. On another note, I don't understand why this is so challenging to do on CSF. On other FWs, you can simply put in a rule that essentially says "deny src="*.amazonaws.com" - if the IP comes from the FQDN amazonaws.com - then block it. :

Jul 23 06:34:16 70 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=fa:16:3e:8d:ed:a9:28:99:3a:09:78:00:08:00 SRC=44.242.181.248 DST=yy.xxx.220.70 LEN=48 TOS=0x00 PREC=0x00 TTL=154 ID=7806 PROTO=TCP SPT=63000 DPT=60000 WINDOW=512 RES=0x00 SYN URGP=0

Jul 23 06:35:48 70 pure-ftpd: (?@44.242.181.248) [INFO] New connection from 44.242.181.248
Jul 23 06:35:49 70 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=fa:16:3e:8d:ed:a9:28:99:3a:09:78:00:08:00 SRC=44.242.181.248 DST=yy.xxx.220.70 LEN=60 TOS=0x00 PREC=0x00 TTL=106 ID=40363 DF PROTO=TCP SPT=48050 DPT=32771 WINDOW=65535 RES=0x00 SYN URGP=0

Jul 23 06:36:46 70 pure-ftpd: (?@44.242.181.248) [INFO] Logout.
Jul 23 06:36:46 70 pure-ftpd: (?@44.242.181.248) [INFO] New connection from 44.242.181.248
Jul 23 06:36:46 70 pure-ftpd: (?@44.242.181.248) [INFO] Logout.
Jul 23 06:36:46 70 pure-ftpd: (?@44.242.181.248) [INFO] New connection from 44.242.181.248
Jul 23 06:36:46 70 pure-ftpd: (?@44.242.181.248) [INFO] Logout.
Jul 23 06:36:47 70 pure-ftpd: (?@44.242.181.248) [INFO] New connection from 44.242.181.248
Jul 23 06:36:47 70 pure-ftpd: (?@44.242.181.248) [INFO] Logout.
Jul 23 06:36:47 70 pure-ftpd: (?@44.242.181.248) [INFO] New connection from 44.242.181.248
Jul 23 06:36:47 70 pure-ftpd: (?@44.242.181.248) [INFO] Logout.
Jul 23 06:36:47 70 pure-ftpd: (?@44.242.181.248) [INFO] New connection from 44.242.181.248
Jul 23 06:36:49 70 kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=fa:16:3e:8d:ed:a9:28:99:3a:09:78:00:08:00 SRC=44.242.181.248 DST=yy.xxx.220.70 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=36285 DF PROTO=UDP SPT=29325 DPT=523 LEN=28

Jul 23 06:57:25 70 pure-ftpd: (?@44.242.181.248) [INFO] New connection from 44.242.181.248
Jul 23 06:57:25 70 pure-ftpd: (?@44.242.181.248) [INFO] SNI: [yy.xxx.167.72.host.secureserver.net]
Jul 23 06:57:25 70 pure-ftpd: (?@44.242.181.248) [WARNING] Sorry, cleartext sessions and weak ciphers are not accepted on this server.#012Please reconnect using TLS security mechanisms.

Jul 23 07:01:08 70 pdns_server: AXFR-out zone 'net', client '44.242.181.248', transfer initiated
Jul 23 07:01:08 70 pdns_server: AXFR-out zone 'net', client '44.242.181.248', failed: client may not request AXFR
Jul 23 07:01:08 70 pdns_server: AXFR-out zone 'secureserver.net', client '44.242.181.248', transfer initiated
Jul 23 07:01:08 70 pdns_server: AXFR-out zone 'secureserver.net', client '44.242.181.248', failed: client may not request AXFR
Jul 23 07:01:09 70 pdns_server: AXFR-out zone 'host.secureserver.net', client '44.242.181.248', transfer initiated
Jul 23 07:01:09 70 pdns_server: AXFR-out zone 'host.secureserver.net', client '44.242.181.248', failed: client may not request AXFR
Jul 23 07:01:09 70 pdns_server: AXFR-out zone '72.host.secureserver.net', client '44.242.181.248', transfer initiated
Jul 23 07:01:09 70 pdns_server: AXFR-out zone '72.host.secureserver.net', client '44.242.181.248', failed: client may not request AXFR
Jul 23 07:01:09 70 pdns_server: AXFR-out zone '167.72.host.secureserver.net', client '44.242.181.248', transfer initiated
Jul 23 07:01:09 70 pdns_server: AXFR-out zone '167.72.host.secureserver.net', client '44.242.181.248', failed: client may not request AXFR
Jul 23 07:01:09 70 pdns_server: AXFR-out zone xxx.167.72.host.secureserver.net', client '44.242.181.248', transfer initiated
Jul 23 07:01:09 70 pdns_server: AXFR-out zone 'xxx.167.72.host.secureserver.net', client '44.242.181.248', failed: client may not request AXFR
Jul 23 07:01:09 70 pdns_server: AXFR-out zone 'yy.xxx.167.72.host.secureserver.net', client '44.242.181.248', transfer initiated
Jul 23 07:01:09 70 pdns_server: AXFR-out zone 'yy.xxx.167.72.host.secureserver.net', client '44.242.181.248', failed: client may not request AXFR
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: How to block all IPs from specific domain?

Post by Sergio »

rolinger wrote: 23 Jul 2023, 14:57 @Sergio - here is another IP from the same domain that has been blocked. There are hundreds of similar lines, so I copied all the ones that were different from each other. On another note, I don't understand why this is so challenging to do on CSF. On other FWs, you can simply put in a rule that essentially says "deny src="*.amazonaws.com" - if the IP comes from the FQDN amazonaws.com - then block it.
This is because CSF is an IP FireWall, it means it only blocks IPs.

In order to block name server domains you can create your own rule where you can add server names and add the rule should be added in /usr/local/csf/bin/ inside the file regex.custom.pm.

Inside that file you will read some basic instructions on how to use it.

That is why I needed a log line that could be used to create a rule, but the info that you posted can't help me to do that.

If you don't want to block any connections from ".amazonaws.com" I will like to have a log line where the domain is listed.
It is useful to know from what log you got the info as it has to be add on the rule that is created.

Sergio
Post Reply