VoIP Blacklist
- Thread starter yukon
- Start date
- Status
I installed it on one of my test servers and these are all the ones that have hit me in the last 12 hours:
Chain BLACKLIST-INPUT (1 references)
num pkts bytes target prot opt in out source destination
6641 1 439 DROP all -- * * 62.138.14.127 0.0.0.0/0
7354 1 40 DROP all -- * * 66.240.192.138 0.0.0.0/0
7357 1 40 DROP all -- * * 66.240.219.146 0.0.0.0/0
7359 1 40 DROP all -- * * 66.240.236.119 0.0.0.0/0
7742 2 80 DROP all -- * * 71.6.146.130 0.0.0.0/0
7743 1 40 DROP all -- * * 71.6.146.185 0.0.0.0/0
7745 2 80 DROP all -- * * 71.6.158.166 0.0.0.0/0
7751 1 40 DROP all -- * * 71.6.216.38 0.0.0.0/0
7752 1 40 DROP all -- * * 71.6.216.42 0.0.0.0/0
8375 2 80 DROP all -- * * 80.82.79.104 0.0.0.0/0
10605 1 40 DROP all -- * * 82.221.105.6/31 0.0.0.0/0
11984 4 1770 DROP all -- * * 89.163.146.122 0.0.0.0/0
12124 1 441 DROP all -- * * 89.163.242.48/31 0.0.0.0/0
12241 1 40 DROP all -- * * 89.248.172.16 0.0.0.0/0
12244 1 663 DROP all -- * * 89.248.172.140 0.0.0.0/0
12425 2 882 DROP all -- * * 92.42.106.173 0.0.0.0/0
12554 1 440 DROP all -- * * 93.186.196.82 0.0.0.0/0
12748 2 80 DROP all -- * * 94.102.49.190 0.0.0.0/0
12749 1 40 DROP all -- * * 94.102.49.193 0.0.0.0/0
13934 18 1080 DROP all -- * * 121.18.238.98 0.0.0.0/0
13935 18 1080 DROP all -- * * 121.18.238.109 0.0.0.0/0
13936 36 2160 DROP all -- * * 121.18.238.114 0.0.0.0/0
15180 1 432 DROP all -- * * 163.172.144.161 0.0.0.0/0
15596 2 80 DROP all -- * * 169.54.233.116/30 0.0.0.0/0
15597 1 40 DROP all -- * * 169.54.233.121 0.0.0.0/0
15601 1 40 DROP all -- * * 169.54.244.84 0.0.0.0/0
20367 1 432 DROP all -- * * 194.88.106.159 0.0.0.0/0
20702 1 442 DROP all -- * * 195.154.182.176 0.0.0.0/0
20794 13 5673 DROP all -- * * 195.154.237.46 0.0.0.0/0
21032 2 80 DROP all -- * * 198.20.69.98 0.0.0.0/0
21034 1 40 DROP all -- * * 198.20.87.98 0.0.0.0/0
22209 1 441 DROP all -- * * 209.126.122.35 0.0.0.0/0
22979 1 443 DROP all -- * * 213.202.253.20/31 0.0.0.0/0
23414 18 1080 DROP all -- * * 221.194.44.195 0.0.0.0/0
23416 27 1620 DROP all -- * * 221.194.44.224 0.0.0.0/0
23417 16 960 DROP all -- * * 221.194.47.208 0.0.0.0/0
23418 19 1140 DROP all -- * * 221.194.47.224 0.0.0.0/0
Just a couple notes that I saw. In the /usr/local/bin/voipbl.sh script, change the line:
if [ `iptables -L | grep -c "Chain BLACKLIST-INPUT"` -lt 1 ]; then
to
if [ `iptables -L -v -n | grep -c "Chain BLACKLIST-INPUT"` -lt 1 ]; then
And also, change the cron to not run so much. Every 4 hours seem a bit much to me.
Chain BLACKLIST-INPUT (1 references)
num pkts bytes target prot opt in out source destination
6641 1 439 DROP all -- * * 62.138.14.127 0.0.0.0/0
7354 1 40 DROP all -- * * 66.240.192.138 0.0.0.0/0
7357 1 40 DROP all -- * * 66.240.219.146 0.0.0.0/0
7359 1 40 DROP all -- * * 66.240.236.119 0.0.0.0/0
7742 2 80 DROP all -- * * 71.6.146.130 0.0.0.0/0
7743 1 40 DROP all -- * * 71.6.146.185 0.0.0.0/0
7745 2 80 DROP all -- * * 71.6.158.166 0.0.0.0/0
7751 1 40 DROP all -- * * 71.6.216.38 0.0.0.0/0
7752 1 40 DROP all -- * * 71.6.216.42 0.0.0.0/0
8375 2 80 DROP all -- * * 80.82.79.104 0.0.0.0/0
10605 1 40 DROP all -- * * 82.221.105.6/31 0.0.0.0/0
11984 4 1770 DROP all -- * * 89.163.146.122 0.0.0.0/0
12124 1 441 DROP all -- * * 89.163.242.48/31 0.0.0.0/0
12241 1 40 DROP all -- * * 89.248.172.16 0.0.0.0/0
12244 1 663 DROP all -- * * 89.248.172.140 0.0.0.0/0
12425 2 882 DROP all -- * * 92.42.106.173 0.0.0.0/0
12554 1 440 DROP all -- * * 93.186.196.82 0.0.0.0/0
12748 2 80 DROP all -- * * 94.102.49.190 0.0.0.0/0
12749 1 40 DROP all -- * * 94.102.49.193 0.0.0.0/0
13934 18 1080 DROP all -- * * 121.18.238.98 0.0.0.0/0
13935 18 1080 DROP all -- * * 121.18.238.109 0.0.0.0/0
13936 36 2160 DROP all -- * * 121.18.238.114 0.0.0.0/0
15180 1 432 DROP all -- * * 163.172.144.161 0.0.0.0/0
15596 2 80 DROP all -- * * 169.54.233.116/30 0.0.0.0/0
15597 1 40 DROP all -- * * 169.54.233.121 0.0.0.0/0
15601 1 40 DROP all -- * * 169.54.244.84 0.0.0.0/0
20367 1 432 DROP all -- * * 194.88.106.159 0.0.0.0/0
20702 1 442 DROP all -- * * 195.154.182.176 0.0.0.0/0
20794 13 5673 DROP all -- * * 195.154.237.46 0.0.0.0/0
21032 2 80 DROP all -- * * 198.20.69.98 0.0.0.0/0
21034 1 40 DROP all -- * * 198.20.87.98 0.0.0.0/0
22209 1 441 DROP all -- * * 209.126.122.35 0.0.0.0/0
22979 1 443 DROP all -- * * 213.202.253.20/31 0.0.0.0/0
23414 18 1080 DROP all -- * * 221.194.44.195 0.0.0.0/0
23416 27 1620 DROP all -- * * 221.194.44.224 0.0.0.0/0
23417 16 960 DROP all -- * * 221.194.47.208 0.0.0.0/0
23418 19 1140 DROP all -- * * 221.194.47.224 0.0.0.0/0
Just a couple notes that I saw. In the /usr/local/bin/voipbl.sh script, change the line:
if [ `iptables -L | grep -c "Chain BLACKLIST-INPUT"` -lt 1 ]; then
to
if [ `iptables -L -v -n | grep -c "Chain BLACKLIST-INPUT"` -lt 1 ]; then
And also, change the cron to not run so much. Every 4 hours seem a bit much to me.
That's one large list of IPs! Lets hope iptables doesn't weigh everything else down.
Starting to see some hits and have also added a few new IPs to the list that have been trying to hammer away lately.
I was having a look at the growth of the list overtime and trying to come up with an optimal frequency to run the script seeing as it reloads the whole list each time.
Currently at once every 24 hours,but thinking that might be overkill.
Starting to see some hits and have also added a few new IPs to the list that have been trying to hammer away lately.
I was having a look at the growth of the list overtime and trying to come up with an optimal frequency to run the script seeing as it reloads the whole list each time.
Currently at once every 24 hours,but thinking that might be overkill.
Works very well we find and the ability for the community to add new ips is a bonus.
We use the ipset method to load the rules as its far quicker (30sec vs 5+ minutes). You can also update as often as you like.
We check the rules often and notice traffic being blocked so its definitely doing its job. As good as it is though, we would advise using it as part of a well balanced security diet, no just as your only line of defense.
We use the ipset method to load the rules as its far quicker (30sec vs 5+ minutes). You can also update as often as you like.
We check the rules often and notice traffic being blocked so its definitely doing its job. As good as it is though, we would advise using it as part of a well balanced security diet, no just as your only line of defense.
- Status