Blocking IPs or even countries on Windows systems using IPSec

September 13, 2008 by Thomas I
Filed under Security

First get IPSec installed. It comes with XP’s SP2 so if you didn’t do it yet, install SP2. If you’re on a server version of windows, this can be tricky as you first install IPSec on a XP then you run the command from XP’s “Program Files/Support” folder.

So, to block one single IP, write this in command prompt:
ipseccmd -f [IP.YOU.WANT.BLOCK/255.254.0.0=*]

This will block the B class IP you specify in the command.

To see if your blocking attempt was a success, type:

ipseccmd show filters
If you see the IP you typed in the previous command, you’re good.

Now let’s block a whole country. First obtain a list with the country’s IPs you want to block. The easiest way possibly is still blockacountry.com, generate the .htaccess then remove the unwanted words with a text editor using batch replace. Then create a .bat file and for every IP you got from the above website, write on separate lines
ipseccmd -f [IP.YOU.WANT.BLOCK/255.254.0.0=*]

On a side note, blockacountry.com provides the IPs in CDIR format. Since IPSec is a Microsoft application and due to this, is a bit dumb, you have to convert the IPs from CDIR format to standard plus subnet mask.
I explain with an example:

127.0.0.1/15 becomes 127.0.0.1/255.254.0.0


And that was all. As always, if you need help, shout.


			
			
				Tags: country ban, IIS ban country, IPSec
			
			
						Methods to ban whole countries on server level
			
			
			
				
					September 11, 2008 by Thomas I   
 Filed under Server Management 
				
				
				
					Leave a Comment 
				
				
			
		
			
I already expressed my opinion about country bans in a previous post, now let’s see some methods of how to achieve country bans.
With IPTables, using a bash script:
Remember that this will work only under Linux and with IPTables working correctly.

Instead of looking up every IP and block, we ask APNIC about a country’s allocated IPs.

The script is very simple, I won’t bother writing a new script as the web is full with it. The best I found is a Certified RedHat Engineer’s, Sebastien Wain’s, it’s clean and simple. Click here to read his post, then you can follow a link to the script from his post. It would be unfair to post the link to the script directly.

When you run the script, you will have to input the country code you want to block. A complete list of country codes can be found here: ISO 3166 Country Codes

The output of the script will be IPTables commands for each IP which you can use later in another bash to insert the IPs in the IPTables drop list, or if you have enough time to spare, you can copy-paste each command in the command line.
Using MaxMind GeoIP or GeoLite and Server Side Code
MaxMind provided its GeoIP database’s “Lite” version for free. The difference between the two databases is that the free version is less accurate, but still accurate enough to be very useful as its accuracy is still above 99%. So, download the MaxMind GEOLite database from MaxMind’s website and save it on your server somewhere. You should save in the include path, it will be easier to you and still safe from unauthorized access. It’s a huge dat file so it wouldn’t be fun if some hacker-kids would access it on 2000 queries per second rate.

Now that you have this database on your server, write a PHP or any other server level script which, before serves a page checks the user’s IP against this database. API’s are available to ease the developers’ life. 
With .htaccess
There’s an awesome online tool which can create the .htaccess you have to place in the root of your script. The tool is called “block a country”, - on a side note, quite imaginative name,- and is situated under the www.blockacountry.com domain. You select the from the list the IPs you want to block then pressing “Go” will generate the lines you have to place in a .htaccess.

Easier method doesn’t exist, you either use that tool, or you put every IP in the htaccess manually.
Other methods
Doesn’t really exist i think. It’s possible to block access on router or firewall level, at least that’s what I was told, but I admit I never tried.
Please always think before you block a whole country. You can loose traffic from legitimate users, and traffic is precious for every webmaster. Or at least, it should be precious…


			
			
				Tags: .htaccess, block a country, block asia, block by ip address, block by ip range, block china, deny access by country
			
			
						Stop an ongoing DoS attack
			
			
			
				
					August 31, 2008 by Thomas I   
 Filed under Security,  Server Management 
				
				
				
					Leave a Comment 
				
				
			
		
			
Many server managers say that effectively stopping a DoS attack is impossible. This is only half true.
Under a DoS siege the majority of the server administrators will try to create a null route for each offensive IP, IP block or even whole subnets. This is done as an effort to keep the service online for legitimate clients, but deny service for the offenders. This is very time consuming operation as the IPs are faked so null routing almost always is impossible.
So what other methods are available?
I can tell you my experience only, and that is extremely simple. First, I start to look for the port the attackers chose. Usually and unfortunately this port is almost always port 80 aka HTTP. If the server became completely unusable and the number of connections is unbelievably high, then one simple step: shut down the ethernet card which handles the public network. No one will be able to use the server until you re-enable the ethernet card so this is a very cruel option in many’s mind. But why? If no one can access the server because the DOS attack, why is bad if I shut down the ethernet card?

And why do I shut down completely the traffic? This is again my own experience: the offender thinks that the mission was accomplished and simply gives up. I had only once situation when re-enabling the ethernet card after a few hours brought the offender back too, one occasion from a few dozen. So in my humble opinion it’s still better to have a few hours of silence than having a few hours of stress caused by the efforts of blocking the unwanted traffic.

On the other hand if the server didn’t deny the service yet, you may try to null route the offenders. It’s an extremely time consuming operation and if the IPs are faked… well. You can’t really null route. But if you desperately want to keep the server up and running, you may try it. Be prepared for great stress, have your coffee machine prepared too, and if you smoke, a few packs of cigs in the nearby is also required.
Another option I heard about is a bit more interesting. But it involves DNS administration so you should be familiar with it before start it.

Let’s take the following situation: you have www.example.com functioning on the 192.168.0.1 IP. When you observe that your IP is under attack and your website functioning under the example.com domain became slow, you move your domain name under another IP on another server, the offenders will still attack the old IP but they cause no trouble since that IP is out of service.

This is very beautiful in theory, but in real world may function or not. Usually doesn’t, since while the update in your DNS travels through the whole world, your website may be already on its knees.
What can be done to just not experience DoS attacks?
To be prepared for the attack. There will be always black hat hackers and hacker kids in suburban basements who has nothing better to do but try to offend websites or whole servers, so our only option is to be prepared. Better said, the datacenters.

DoS attacks can be recognized quite easily, there is a listening system installed on every major internet backbone too. What they can do is to early recognize that something is happening and start to block the malicious traffic while is born.

Choose your provider wisely. If you want a good hosting solution go with well known web hosts like GoDaddy or MediaTemple. If you need servers, choose well known data centers like RackSpace or Softlayer. They are all prepared for DoS attacks and can help you in no time. 
If you go with a server, a must have is a good hardware (!) firewall, which can distinguish the good traffic from the bad one, then block the unwanted. This kind of firewalls, stateful firewalls are manufactured by Cisco for example. They do a hell’a good job.

Other than that, you can only beg for mercy. Nothing else. Every system is vulnerable to these attacks at any time, it’s not just you. The only difference is how much the servers can survive without being killed.


			
			
				Tags: ddos, ddos attacks, Denial-of-service attack, distributed denial of service attack, dns amplification attack, dns attack, Dos, dos attacks, flooding, http attack, http get attacks, icmp attack, packet flooding, ping attack, ping of death, syn flooding, tcp attack, tcp flooding, udp attack, udp flooding
			
			
						What is null routing and how to use it
			
			
			
				
					August 31, 2008 by Thomas I   
 Filed under Security,  Server Management 
				
				
				
					Leave a Comment 
				
				
			
		
			
There are times when a server admin has to re-route some of the traffic coming from specific IPs. This is called null routing.
OK, now simpler: say, 192.168.0.1 is trying to connect to your server. You know that this IP has bad intentions so you decide to block it. Creating an IPTables deny entry is one of the options, null routing is another (adding an entry in the routing tables), more effective one. Why? Because while IPTables is only a software, null routing happens on the server’s level, thus putting less strain on the hardware.

Null routing means basically that you block the IP, but you can also re-route it. For example you can easily re-route it to the loopback address, 127.0.0.1, thus when the client tries to connect to the server, the server instantly redirects the connection to the client’s address. This is often called blackhole routing.
Null routing is the preferred option when a server is under DoS siege.
How to create a null route.
The offender’s IP address in my examples is 192.168.0.1, the gateway mask is 255.255.255.0 and the new route is 127.0.0.1 . Obviously, you replace these values with the offender’s IP and the preferred route.
on Linux, you log in as root, and type:

route add 192.168.0.1 gw 127.0.0.1 lo
On Windows based systems it seems re-routing is not really possible. You can specify a gateway to use to route a specific connection through, but my experience is that it’s just not working in the way I would like to. Even though Microsoft Support tells me the contrary.

Anyway, the shell command you should use for rerouting on Windows based systems is the following:

route add 192.168.0.1 MASK 255.255.255.0 127.0.0.1
The problem is that this created for me a loop, but on the wrong side: on my side.


			
			
				Tags: Black hole (networking), Bottleneck, Computer networking, Core router, Denial-of-service attack, Null route
			
			
						How do you recognize a DoS attack
			
			
			
				
					August 31, 2008 by Thomas I   
 Filed under Security,  Server Management 
				
				
				
					Leave a Comment 
				
				
			
		
			
Early recognition of a DoS attack is essential. This post will help you learn how to recognize a DoS attack so you can take necessary steps.
In my previous post, I talked about DoS attacks in general (see end of the post for the link) and if you’ve read it, you know how are they working. If you didn’t read it, do it now then return here.
When a website is under DoS siege, the most prominent effect is that the website becomes slower and slower as the time passes by and the number of incoming connection increases to the point the webserver either resets (in my humble opinion the best thing) or denies to serve.
In one of my previous posts I mentioned that a webserver, for example Apache can handle only a limited number of connections. This number solely depends on the architecture of the webserver’s core, the amount of available hardware resource and how the server manager configured the webserver. This only applies to standalone servers, not balanced ones or mainframes. In how much time will the server becomes unusable, solely depends on the above factors. For example a server with high amount of RAM could handle a very big number of connections, if the configuration of the software allows it.
So, the first eye-blowing effect of a DoS attack is the enormous number of unexpected connections.
The architecture of the webservers is designed so that when a connection is opened, it isn’t closed for quite a lot time, usually 250-300 seconds. So when a DoS client connects to a server, it’s not disconnected for the TTL time. Imagine thousands of connections waiting to close.
As per the above paragraph, the second prominent thing which happens with a webserver is that there are a lot of unclosed, waiting connections.
The web server allocates an amount of hardware resource for each incoming connection. Under a DoS siege the number of connections is enormously high, thus a lot of hardware resource is consumed. First the RAM will be not enough, when the RAMs are filled up the server will try to use the hard disk thus causing the server to “swap” but as there is not enough RAM the CPU neither will be able to handle a thing. The server is on its knees. 
So, the last thing you should observe is that the server load is too high. I say this is the last you have to look for because if only this applies to your situation, it’s most likely you are not under a DoS siege but either a misconfiguration happened on the server’s level, or a bad-written, low quality script is using up the resources.


			
			
				Tags: ddos, ddos attacks, Denial-of-service attack, distributed denial of service attack, dns attack, Dos, dos attacks, flooding, http attack, http get attacks, icmp attack, packet flooding, ping attack, ping of death, reflector attacks, syn flooding, tcp attack, tcp flooding, udp attack, udp flooding
			
			
						What is a DOS attack and how to initiate it
			
			
			
				
					August 30, 2008 by Thomas I   
 Filed under Security,  Server Management 
				
				
				
					Leave a Comment 
				
				
			
		
			
The best method to deflect an attack is to understand how the offender planed his attack, thus you know what will happen next or how to stop a previous action.
This post is about the basics of a distributed DOS attack. DoS is the abbreviation of Denial of Service. I won’t list everything you need, not the software you need nor anything which you can start a DOS attack with, but the architecture of such an attack to help you form a picture about how the DOS attacks works thus help you avoid them.
First of all, what is a DoS attack?
DoS stands for Denial of Service. Basically, a server is bombarded with fake traffic until it denies to serve normal traffic coming from legitimate users. DoS is a relatively new thing on the internet and they can be temporary or permanent. Temporary is when it can be let’s say fixed easily and permanent is when it can’t be fixed with a simple reboot or by shutting down the ethernet port. Permanent DoS is very sever as it rewrites a network component’s firmware, thus the owner of the hardware either replace it or re-rewrites the firmware (usually replacing is advised).
There are many types of DOS attacks, the most common are probably the ICMP floods. ICMP is a protocol on which the ping requests are handled and as almost every server will respond to ping requests, they are vulnerable to these type of attacks. 
So, what happens in the background? A user with connection superior to the server’s which will be attacked, sends a high amount of ping requests to the server and keeps sending them until the server is brought down. Sounds simple? It’s not. The above example is oversimplified, there is involved one other step which i didn’t mention: the IP faking.
So, how ping is working?

user initiates a ping to a specified server. 
the server receives the request
the request contains data about where the server has to reply, the initiator’s IP address. The server replies to this address
the initiator acknowledges the answer and the connection is closed

So how to initiate a DoS attack
The problem occurs when the pinger’s IP is faked as the server will try to answer for the request but as the address is faked it can’t. One issue with this: as the architecture of the web servers is designed so that if a connection can not be handled, the connection is kept open for a very long time. Too many connections open will bring the server on its knees in no time, mostly if there are not enough hardware resource like RAM.
Of course, modern web servers will not be brought down with only one offending client. An attack to a well designed webserver, network component or network is much harder and requires more offenders. The attack should be synchronized very well and distributed over many, a few hundred or even thousand and even millions of attacking PC, solely depending on how advanced is the attacked party.
So how DoS is possible then?
The easiest way the hackers achieve to sync and distribute the attack is that they, let’s say hire spammers to send spam containing either links to malware which is used as a DoS client or the message has the malware attached. When the user clicks the link or opens the attachment, the script installs itself as a service on a Windows based OS. 
On a side note, it’s interesting that the most expensive OS is in the same time the most vulnerable to malware and virus attacks, too. 
The whole of the PCs which has this malware installed is called botnet.
The installed malware will start to work on a specified time and date like in MyDoom’s (Link to Wikipedia article, read it, it’s very interesting) case when millions of computers started synchronized distributed attack against several websites. This is called DDoS, abbreviation for Distributed Denial of Service. It’s incredibly effective against lower end web servers and can put offline even high-end architectures like Google’s search back-end network.
Next article is about how to recognize DoS attacks.
If something is not clear, feel free to ask.


			
			
				Tags: Bandwidth (computing), Bandwidth hogging, bot, botnets, ddos, ddos attacks, Denial-of-service attack, distributed denial of service attack, dns amplification attack, dns attack, Dos, dos attacks, flooding, getting ddos, how to stop dos attacks, http attack, icmp attack, packet flooding, ping attack, ping of death, stop attacks, stopping dos attacks, syn flooding, tcp attack, tcp flooding, udp attack, udp flooding, web attack, website attack
			
			
						Ban IP on server level after a number of unsuccessful logins
			
			
			
				
					August 24, 2008 by Thomas I   
 Filed under Linux,  Server Management 
				
				
				
					Leave a Comment 
				
				
			
		
			
This is  a widely used function amongst the server managers. Depending on your system configuration, the server will ban the enforcer’s IP, either putting it in the firewall’s deny list or, on Linux servers with IPTables installed, will put the IP in the drop list.  
To achieve this feature, the easiest way is to install a software firewall. My recommendation is CSF, Configserver Security & Firewall developed and maintained by Way To The Web Limited. It’s an extremely efficient software, and integrated into WHM is very easy to manage it, even a beginner can handle almost everything.
So, if configured correctly, CSF has a, say, extension: LFD or Login Failure Daemon.
This stuff is what we search for at the moment. You can configure which ports to listen on, so if the enforcer tries on SSH, POP3 or FTP and even HTTP authentication, it will get banned after a few tries.
You can also put IPs to its ignore list. This is very useful feature if you don’t want to get yourself banned.


			
			
				Tags: .htaccess, apache, ban ip, csf, deny access, deny access from domain, IPTables, lfd, Server Management, unsuccessful login
			
			
						Country bans: Good or not?
			
			
			
				
					August 19, 2008 by Thomas I   
 Filed under Server Management 
				
				
				
					1 Comment 
				
				
			
		
			
During my daily routine, when I check all the sites I have to, Google Webmaster Group, and other forums I visit, I noticed a, well… Let’s say trend: more and more webmasters think that it’s a good idea to ban whole countries from their websites and servers. So is this wise or just a result of a momentary panic?
Let’s see first why would do it? The most convenient explanation would be that you get attacks, let it be SPAM or DOS, from a specific country and to stop it, you just ban the whole country. Let’s say you have a basic server, running Apache. To ban a country is quite easy, you supply a feed with the IPs you want to ban and you’re done. Even with IPTables would be easy enough to ban a country, say most half an hour with searching included.

Let’s take a small number of aggressive clients, say 1.000 clients concurs for connection to the servers/website, and you decide to ban a whole country. The most offensive country at the moment of this post is China. China has approximately 1/6 of the World’s population. Basically if you ban 1 billion people from accessing your site just because of those 1.000 who are attacking it, well… it’s pity. You can only lose, mostly visitors coming from search engines. You will have you webserver standing steadily, but you lost revenue, as visitors equals revenue. And as a general rule of the thumb, the aggressive clients WILL give up after a moment, switch off the server, shut down the ports they are using for an hour, something, anything, but ban a whole country?!
The second case, you ban countries just because you don’t offer anything for those countries. Or you think you don’t offer.

This was very painful for me to learn, but for some reason big corporations’ webmasters do it often, and it’s so frustrating. I test a lot of IT equipment, usually stuff which didn’t appear yet in my country, I try to visit the manufacturer’s website to download a driver and I can not, because the IP I have, and all the country has, is banned from the server I want to access! How foolish…
Recent case is one of my tests with an eMachines notebook. I knew the firm is owned by Acer, yet Acer has no drivers for eMachines equipments. I check the website, emachines.com and miracle: I can’t access it, it times out. This is a common case when your IP is banned on server level, since the server won’t serve you anything, no 403 message, no nothing, not even a single ICMP package. So I tried to access the website through a server which is located in a different country, still in Europe. No luck. After a few more tries with EU servers, I try with a US server, located in Dallas. And what a joy: I could access the above link. Later I tried with a Canadian server and I could access the website. In total, I tested it with 46 servers which are under my management, and ONLY the US and Canadian servers could fetch the site.

Yet, eMachines started to export notebooks in my country and since they are cheep, people buy it like sugar, but their only option is the provided driver CD/DVD… which is not good for XP 

So if you need an XP driver for something, you either code it for yourself (i know), or you switch to Vista as the drivers provided on that media is good only for this OS.
So, what do you think, is it good to ban a whole country or not?


			
			
				Tags: acer, acer emachines e510 drivers, acer emachines vista drivers, acer emachines xp drivers, apache, ban country, ban ip, celeron m560, country ban, eme510, eme510-301g16mi, laptop, linux acer, notebook
			
			
						Restrict access to directory or domain by IP, using .htaccess
			
			
			
				
					August 2, 2008 by Thomas I   
 Filed under .htaccess 
				
				
				
					Leave a Comment 
				
				
			
		
			
I don’t blah too much on this subject.

Basically, you can restrict or allow who can connect to your site or who can access specific directories using .htaccess . 
Here’s the code to block one specific IP, I use 192.168.0.1 to block, you replace it with the IP you want to deny.


order allow,deny

deny from 192.168.0.1

allow from all


That is. Placed in the root of your site, the user with the IP 192.168.0.1 will not be able to access your site at all. If you place it in a specific subdirectory of your site, the user won’t access the specific subdirectory. If you want to put more IPs in your deny list, just add one more deny line for each IP.
To block by domain, replace the IP with a domain. For example:


order allow,deny

deny from .comcast.net

deny from .google.com

allow from all


If you look hard, you will observe that I put a dot in front of the domains. It has only one meaning: if you put a dot in front of the domain, all the sub-domains will be blocked. For example, in the second deny rule i said to deny everybody from google.com, including www.google.com, googlebot.google.com, finance.google.com, you get it.
And as always, we saved the world again.


			
			
				Tags: .htaccess, apache, deny access, deny access from domain, Server Management
			
			
						Be Google’s friend: Make your URLs canonical with .htaccess
			
			
			
				
					July 18, 2008 by Thomas I   
 Filed under .htaccess,  Apache,  Server Management 
				
				
				
					Leave a Comment 
				
				
			
		
			
This subject is… is… well 

Every second site on the net has at least one article about this subject. But to be honest, it’s good to have so many articles about this, in a way. At least people recognize they should use it. Or not.

So, what’s the fuss around the URL canonicalization? One thing only: the search engines and their hate of duplicated content. If your website is accessible both on www.example.com and the plain example.com the search engines will index both areas, they think you duplicated your content to get more positions in the search results, so they penalize your domain. Weird. They should know it’s the same website, or at least the coders should teach them that www is the same with non-www. Or at least on well-configured servers.

So, here pops Apache in and throws a resolution for the issue: the mod_rewrite engine, again. You will have to have mod_rewrite bundled into Apache and working correctly.

As always, here’s the code for those who just want to copy&paste and then the explanation for all the lines.


RewriteEngine On

RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]

RewriteRule ^/(.*) http://example.com/$1 [R=301,L]


That is. Placed in a .htaccess file, it will redirect with code [301:Moved Permanently] all the queries sent to the www.domain.com to domain.com. Now let’s explain it line-by-line:

We switch On the mod_rewrite module, thus telling Apache we want to work with it.
If the hostname contains “www”, apply the rule, so this a condition
This last line is the rule which has to be done if the condition can be applied on the HTTP request. In our case do a 301 redirection to the non-www version of the site

That was all. Search engines are now happy, World saved again.

As always, if something is unclear, drop a comment and i answer as soon as possible.


			
			
				Tags: .htaccess, 301 redirect, apache, htaccess how-to, htaccess tricks, mod_rewrite, redirect, rewrite
			
			
						Next Page »


	



  
    
    eNews & Updates
    Sign up to receive breaking news 

      as well as receive other site updates!
    
      
      
      
      
      
    
  
  
    
    
  
  
    
      					Our Community
			







		
					Sponsors
			
		
					Most recent
			
						Say bye-bye to pagead2.googlesyndication.com and then welcome (or not) googleads.g.doubleclick.net 
						Gone fishing… sorry, phishing: Mrs. Susan Fernando and her 18 Million dollars 
						Gone fishing… sorry, phishing: I’m a millionaire 
						Google server running cPanel 
						Google Moderator - Questions (un)answered? 
						Yahoo Search Trends for 2008 
						3 tips to finance your blog 
						Significant traffic drop on 30th of november or where did my traffic go? 
						Review - My own Google Laptop Backpack 
						Top 10 best practice to ruin a blog 
						
		


	
		
		Which news source do you prefer?

		 Printed newspapers
		 Television or radio
		 Online news portals
		
View Results
	

 Loading ...

Find interesting posts
    Use your APML-Feed to find weblog-posts that might interest you.
      
            
      
    


					Recent Comments
			andrew wis on Creating a basic captcha with Imagick
jonycus on jQuery : Error: $(document).ready is not a function — Sure!
3 tips to finance your blog | Developer Oracles on Earn more with Adsense - Boosting Click Through Rate (CTR)
Thomas I on jQuery : Error: $(document).ready is not a function — Sure!
Juanlu_001 on jQuery : Error: $(document).ready is not a function — Sure!
		
Tags
.htaccess
acer
adsense
adsense optimization
apache
API
chrome
chrome google
ddos
ddos attacks
Denial-of-service attack
distributed denial of service attack
dns amplification attack
dns attack
Dos
dos attacks
download google chrome
flooding
Gears (software)
google
google browser
Google Chrome
google chrome download
Google Inc.
http attack
http get attacks
icmp attack
imagick
iptable
IPTables
Latest stable software release/Gears
notebook
packet flooding
Phishing
PHP
php5
ping attack
ping of death
Server Management
syn flooding
tcp attack
tcp flooding
thumbnail image php
udp attack
udp flooding
Useful links

	
Blog Tips
The Webmaster Forums
Wise Startup Blog By Andrew Wise