Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Cisco ASA Block Countries by IP Block

    Hochgeladen von

    godlessness
    1K Ansichten3 Seiten
    Network-object 85.255.112. 255.255.240. APNIC is a different story, I have no reason for any connections from there, including smtp.

    Originalbeschreibung:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    RTF, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    Network-object 85.255.112. 255.255.240. APNIC is a different story, I have no reason for any connections from there, including smtp.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als RTF, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    1K Ansichten3 Seiten

    Cisco ASA Block Countries by IP Block

    Hochgeladen von

    godlessness
    Network-object 85.255.112. 255.255.240. APNIC is a different story, I have no reason for any connections from there, including smtp.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als RTF, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 3

    A while ago I put some time into researching which countries / regions these

    IP blocks are assigned to. I'm assuming that these haven't changed much,
    but I'm not positive. I would assume that these wouldn't get reassigned too
    often. These commands are for my PIX. I'm not familiar with the ASA. The
    object-group is real convenient for grouping IP's that you want to treat as
    one.

    Here we setup the object groups.

    object-group network APNIC


    description Asia-Pacific allocation
    network-object 61.0.0.0 255.0.0.0
    network-object 165.133.0.0 255.255.0.0
    network-object 202.0.0.0 255.0.0.0
    network-object 203.0.0.0 255.0.0.0
    network-object 210.0.0.0 255.0.0.0
    network-object 211.0.0.0 255.0.0.0
    network-object 218.0.0.0 255.0.0.0
    network-object 219.0.0.0 255.0.0.0
    network-object 220.0.0.0 255.0.0.0
    network-object 221.0.0.0 255.0.0.0
    network-object 222.0.0.0 255.0.0.0
    network-object 223.0.0.0 255.0.0.0
    network-object 58.0.0.0 255.0.0.0
    network-object 59.0.0.0 255.0.0.0
    network-object 60.0.0.0 255.0.0.0

    object-group network RIPE


    description Europe
    network-object 212.0.0.0 255.0.0.0
    network-object 213.0.0.0 255.0.0.0
    network-object 217.0.0.0 255.0.0.0
    network-object 62.0.0.0 255.0.0.0
    network-object 81.0.0.0 255.0.0.0

    object-group network LACNIC


    description Latin America and Carribean
    network-object 200.0.0.0 255.0.0.0

    object-group network ARIN


    network-object 64.141.0.0 255.255.128.0
    network-object 204.209.208.0 255.255.248.0

    object-group network SANSBLOCK


    description SANS Recommended block list
    network-object 69.50.160.0 255.255.224.0
    network-object 85.255.112.0 255.255.240.0

    Here we put the object-groups to use by denying them. You can see most of
    these I block everything except smtp. We don't host anything onsite that
    anyone outside the US needs access too, but we'd still like to receive their
    email. APNIC is a different story, I have no reason for any connections from
    there, including smtp. Blocking smtp connections from APNIC drastically
    reduces spam.

    access-list incoming deny ip object-group SANSBLOCK any


    access-list incoming deny tcp object-group ARIN any neq smtp
    access-list incoming remark -BR: Block LACNIC all but smtp
    access-list incoming deny tcp object-group LACNIC any neq smtp
    access-list incoming remark -BR: Block RIPE all but smtp
    access-list incoming deny tcp object-group RIPE any neq smtp
    access-list incoming remark -BR: Block APNIC
    access-list incoming deny ip object-group APNIC any

    These are good to block too. When I first blocked the private address spaces
    from inbound traffic I figured I would not see any hits on these rules. I was
    wrong as I'll show you later on.

    access-list incoming remark -BR: Private address space may not appear as
    source addresses
    access-list incoming deny ip 172.16.0.0 255.240.0.0 any
    access-list incoming deny ip 10.0.0.0 255.0.0.0 any
    access-list incoming deny ip 192.168.0.0 255.255.0.0 any

    And of course, unless you have a reason for accepting inbound snmp
    requests, it's better to block it.

    access-list incoming remark -BR: No SNMP


    access-list incoming deny udp any any eq snmp

    And the fun part, look at some of the hit counts on these rules. The hit
    counts that follow are only for 41 days worth of traffic. Remember for LACNIC
    and RIPE we're blocking everything EXCEPT smtp. We offer no services that
    anyone would need to connect to other than smtp. Then why all the failed
    connections? Exactly, the internet is a very bad place. (The following rules
    are the same as the ones above, only in a different view to show hit counts.
    Don't re-enter these.)

    LACNIC
    access-list incoming line 17 deny tcp 200.0.0.0 255.0.0.0 any neq smtp
    (hitcnt=499)
    RIPE
    access-list incoming line 19 deny tcp 212.0.0.0 255.0.0.0 any neq smtp
    (hitcnt=784)
    access-list incoming line 19 deny tcp 213.0.0.0 255.0.0.0 any neq smtp
    (hitcnt=1115)
    access-list incoming line 19 deny tcp 217.0.0.0 255.0.0.0 any neq smtp
    (hitcnt=770)
    access-list incoming line 19 deny tcp 62.0.0.0 255.0.0.0 any neq smtp
    (hitcnt=391)
    access-list incoming line 19 deny tcp 81.0.0.0 255.0.0.0 any neq smtp
    (hitcnt=458)

    And as far as APNIC goes, we're not accepting any connections. Look at the
    hit counts!

    APNIC
    access-list incoming line 21 deny ip 61.0.0.0 255.0.0.0 any (hitcnt=39459)
    access-list incoming line 21 deny ip 165.133.0.0 255.255.0.0 any (hitcnt=0)
    access-list incoming line 21 deny ip 202.0.0.0 255.0.0.0 any (hitcnt=36346)
    access-list incoming line 21 deny ip 203.0.0.0 255.0.0.0 any (hitcnt=29488)
    access-list incoming line 21 deny ip 210.0.0.0 255.0.0.0 any (hitcnt=19703)
    access-list incoming line 21 deny ip 211.0.0.0 255.0.0.0 any (hitcnt=30886)
    access-list incoming line 21 deny ip 218.0.0.0 255.0.0.0 any (hitcnt=42285)
    access-list incoming line 21 deny ip 219.0.0.0 255.0.0.0 any (hitcnt=19564)
    access-list incoming line 21 deny ip 220.0.0.0 255.0.0.0 any (hitcnt=24886)
    access-list incoming line 21 deny ip 221.0.0.0 255.0.0.0 any (hitcnt=30955)
    access-list incoming line 21 deny ip 222.0.0.0 255.0.0.0 any (hitcnt=66319)
    access-list incoming line 21 deny ip 223.0.0.0 255.0.0.0 any (hitcnt=0)
    access-list incoming line 21 deny ip 58.0.0.0 255.0.0.0 any (hitcnt=95526)
    access-list incoming line 21 deny ip 59.0.0.0 255.0.0.0 any (hitcnt=58371)
    access-list incoming line 21 deny ip 60.0.0.0 255.0.0.0 any (hitcnt=27172)

    Here are the hit counts for the private address spaces. Not too shabby.

    access-list incoming line 23 deny ip 172.16.0.0 255.240.0.0 any (hitcnt=110)


    access-list incoming line 24 deny ip 10.0.0.0 255.0.0.0 any (hitcnt=728)
    access-list incoming line 25 deny ip 192.168.0.0 255.255.0.0 any
    (hitcnt=113)

    And snmp connections.

    access-list incoming line 27 deny udp any any eq snmp (hitcnt=12)

    Das könnte Ihnen auch gefallen