Why port scanning? uh... one of the most popular reconnaissance techniques attackers use to discover services they can break into, and all that hackers stuff.
Who is conducting it? who knows, possibly a script kiddie, or even the PLA (People's Liberation Army) cyberwarfare division :)
You´re not alone, i.e. take a look on posts of this page:
formatting link
Just be sure you have shields up with a good and updated firewall and, if possible, use the firewall blocking options to block traffic coming from that IPs.
If you have an out-dated O/S, or have crap open to the world - perhaps. Otherwise, why care. They aren't getting in to your computer, so why are you wasting time worrying about it?
If you search in Google, you'll find millions of posts about port scans since the 1990s. What's new?
Depends - some are looking for open proxy servers, while some are looking for systems to convert into zombies that they can use to conduct port scans or run spam or virus/trojan servers.
or the schools where they are training them. So? What are you going to do if you find out who they are - call the police? Wag your finger at them and say "BAD Boy" or "BAD Girl"? Oh, that will make them stop.
Fix your toy computer so that it's not running unneeded services. For a home user, that usually means NO network services. Your computer has a tool to show what services are open/running. Use it, and find out what is running. If nothing is open, no one is getting in - a firewall isn't needed when there is no door to open.
If you're worried about blocking systems in China, you've got your work cut out for you. As of two weeks ago, China had 3879 networks containing 330342508 IPv4 addresses, ranging from 1.0.1.1 to
223.255.253.254 - and that's ignoring Taiwan, Hong Kong, and Macau. But then, there are 3114348564 _other_ IP addresses in 113381 _other_ networks in 230 _other_ countries in the world - shouldn't you be blocking them as well? Hmmm, maybe a better idea is to allow those you want to, and ignore/block those not allowed.
Which? Numbers of Chinese networks and hosts? APNIC, ARIN and RIPE statistics files, published nightly. I only bother grabbing a copy monthly on the 15th. Other countries? There is AfriNIC and LACNIC as well as the first three. If you need them, you'd be looking for "RIR Statistics" files where RIR means Regional Internet Registry. I haven't seen the data offered by the RIRs as a web page, but they're on the five RIR FTP servers. Examples of the source filenames would be
First field in name of RIR, second field is country (know your ISO3166 country codes?), third field is data type (here, IPv4), fourth is the network address, fifth is size, sixth is date assigned/allocated, and last field is whether the block is assigned to a "final user" or allocated for further sub-assignment or sub-allocation, often by a national or local internet registry. The IPv6 data is even more useless because the smallest data block refers to a /64 which is 2^64 or 18446744073709551616 addresses. IPv6 lines look like
fields as above except the size field is the mask width - the "35" means a mask of ffff:ffff:e000:0000:0000:0000:0000:0000 and that means a total of 9903520314283042199192993792 addresses in the block. Takes a little data manipulation to get these files into something usable, as there's around 182000 lines of text to parse in the five files. Oh, and the big bugaboo - the country code is where the netblock is _registered_ in, not where the individual hosts are physically located. Company I work for has corporate offices in New York state, but I'm in Arizona, and the company being multi-national has facilities in 40+ countries on seven continents. So, are we all to be considered New Yorkers? The RIRs would seem to say yes.
# China IP blocks: # List of ip blocks allocated and assigned directly by RIRs to ISPs # and other large companies in the country of China # This file is based on data collected on Thu Jan 31 07:03:40 PST
which was from 03 July, 2012 (meaning data from 15 June, 2012)
]] China had 3879 networks containing 330342508 ]] IPv4 addresses, ranging from 1.0.1.1 to 223.255.253.254 - and ]] that's ignoring Taiwan, Hong Kong, and Macau.
That's over FOUR YEARS NINE MONTHS OUT OF DATE. On January 31, 2008, there were 84451 allocations and assignments world-wide, totaling
2575807388 (2.58e9) IPv4 addresses. On December 31, 2011, those numbers had increased to 113278 allocations/assignments and 3402331040 (3.40e9) IPv4 addresses. On October 15, 2012 it was up to 120276 and 3471537408 (3.47e9). Things can change rather significantly in time, and data nearly five years old is not very useful.
You list 650 address ranges out of 3527 ranges they had allocated or assigned on October 15, 2012. Notice that's a different number from what they had 15 June.
Same range you were told to block back in early 2007 when you asked.
Block 0.0.0.0/0 Allow 127.0.0.1
If you've got IPv6 (most home users don't), you also want to
Block 0::/0 Allow 0::1
Quite simple, actually. Just two rules to block all 3530 IPv4 nets in China, and the 220 IPv6 ones too (never mind the 1030 nets in Hong Kong, 27 in Macau and 575 in Taiwan)! You might want to "Allow" a few other addresses, but that can be risky.
So you've removed the locks on your house to allow anyone in at any time? Do you also tape your car keys to the driver's window so anyone can use the car at any time you're not using it?
Most people don't intentionally offer services to everyone in the world. I limit access to my systems to a /22 and two /24s "outside" (a total of 1530 addresses) because I can't see any reason to allow connections from you or anyone else that I haven't approved in advance, and I really don't expect authorized users to be connecting from Kazakhstan, Kenya, Kiribati, Korea, Kuwait or Kyrgyzstan and a lot of other places either. Lest someone from those countries object, I also don't allow access from nearly all ISPs in the rest of the world Not expected == not allowed.
Blocking access FROM the world does not mean blocking your access TO the world - subtle difference, no?
Most people ignore the existence of the Linux Documentation Project, must less the 453 "HOWTO" documents and 46 guides, because they have words in them, and you have to _read_ those words to gain knowledge. Consequently, the documents aren't being updated as they once were. But see if you can find a copy of
85507 Aug 20 2001 Firewall-HOWTO 42743 Nov 24 2001 Firewall-Piercing 203891 Sep 29 2004 NET3-4-HOWTO 155096 Jan 23 2004 Security-HOWTO 278012 Jul 23 2002 Security-Quickstart-HOWTO
The last one is particularly useful. The commands have changed in
And I asked for "short". I manage a SonicWall firewall with 5 static IP hiding two video servers, two video mixers, and a half dozen video editing and scheduling computers. Only the servers are Linux. Yet we have remote access so I can control the servers from anywhere. So I don't want to block the world.
The short answer is "you can't do so". There are a couple of problems with IP filtering to _block_ access by country.
ARIN, and there-after the four other Regional Internet Registrars did not assign blocks in a "convenient" manner. Address ranges were assigned from a range such as 202.x.x.x in an arbitrary manner - more or less "first come, first assigned". There was no en-mass assignment of a large block to this country or that. While blocks are being divided to better administer them,
the adjacent block is assigned to one of 36 other countries. That output shows how many networks of each size exist in China - ten /10s (36.128.0.0 - 36.191.255.255, 39.128.0.0 - 39.191.255.255, 59.192.0.0,
111.0.0.0, 112.0.0.0, 116.128.0.0, 117.128.0.0, 120.192.0.0, 183.0.0.0 and 183.192.0.0) nineteen /11s, fifty-one /12s, and so on down to 737 /24s, and as initially mentioned, they are scattered over the IPv4 address space from 1.0.1.0 to 223.255.253.255. Got a shotgun?
The country reported in the registration data is that of the main office of the registrant, and has no guarantee that the computers are located in that country. The company I work for is registered in New York but if you traceroute to our address range, the last IP you see before hitting the firewall is near San Francisco - yet I'm in the Phoenix metro area (about 360 miles/600 KM East of Los Angeles), and systems in our address range are located in 27 other countries around the world. So are we in New York, the USA, North America or what?
You can not count on the DNS name to show country information. In the first place, there are a lot of network administrators who haven't figured out how to run a DNS server or think the data to be secret, and looking up an address will often return a "NXDOMAIN" reply - meaning "no answer could be found". And contrary to common wisdom, not all domains in China (or any other country) have a .cn (or similar ISO-3166) country code as the top level domain - many in fact fit the common misconception that Internet hostnames all end with ".com".
So, if you want to block China ALONE, you have about 2500 address ranges to block. If you don't want to use that many, you can use wider blocks, such as a /8 - China is only in 60 of those 222 blocks. You're going to have co-lateral damage, by blocking others at the same time, such as 1.x.x.x/8 which blocks AU, CN, HK, IN, JP, KR, MY, PH, TH, TW and VN. Some other /8s have more countries, some less.
If customers have to access things, get a separate firewall. If access is limited to employees only, use better access controls. Are you trying to combat skript kiddiez who attempt to log in to your servers by trying "root" and a hundred thousand different passwords one after another? Use one of the "shoot yourself in the a$$" anti-intrusion programs, like 'BlockHosts', 'DenyHosts', 'fail2ban', 'sshguard' or similar but set the block times to ten minutes or less - that's enough to deter the skript kiddiez, and only blocks legitimate users for that long if they repeatedly screw up. A much better solution is strong encryption and authentication. Creating "outside" accounts that are isolated from internal (email) account names is desirable. Teaching your users to create/use "good" passwords (non-dictionary, mixed characters/case) helps, and you can use a brute-force password cracker like 'John-the-ripper' to detect lapses. If worried about one IP address, or a small range of addresses, use a 'whois' client/tool
[fermi ~]$ whatis whois whois (1) - client for the whois service [fermi ~]$
to identify the assigned network, and block that, BUT be aware of possible co-lateral damage, and performance degradation.
Do you travel the world WITHOUT advance notice? I normally have at least two days to prepare - more than that if I need to get a visa. Your best bet would be dynamic usernames and passwords - they are used just once then become invalid to prevent the bad guys from gaining access through packet sniffing or shoulder surfing. At one time, it was thought good practice to move the server port to a non-standard value, but many systems have _OUTBOUND_ filters to block access to all but a few well-known (standard) ports to avoid nasty things, and that can block your access from those sites. Best to depend on one-time authentication, and strong encryption.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.