This file has been generated automatically.
Last update: Wed Sep 1 17:49:44 UTC 2010
There is a growing number of link spammers, which i am blocking
whenever a wiki page is "augmented" by dozens or hundreds of
irrelevant links.
This collection reflects link spammers since the installation of "captchas"
##############################################################################
##############################################################################
############## Blocked addresses, sorted by list addition date ###############
##############################################################################
##############################################################################
rule addition date format is yyyymmdd,HHMM (GMT)
195.168.109.60 # 20100901,1749 svk
129.121.65.124 # 20100819,0832
129.121.64.124 # 20100819,0826 usa
168.243.27.8 # 20100722,2218 san salvador spammer
188.168.170.205 # 20100722,2217 russian spammer
208.75.10.42 # 20100505,0918 usa
188.92.74.91 # 20100312,0424 russia
218.28.29.236 # 20100312,0420 china
94.41.223.94 # 20100305,0544 russia
123.125.156.134 # 20100228,1551 cn
89.107.104.120 # 20100228,1550 ru
89.248.172.38 # 20100228,1550 nl
195.191.54.0/24 # 20100228,1549 lv
95.168.183.84 # 20100228,1547 de
94.142.130.67 # 20100227,1251 lv
91.214.45.9 # 20100227,1251 belize
66.232.100.191 # 20100227,0550 usa
93.174.93.222 # 20100227,0508 nl
##############################################################################
##############################################################################
################## Blocked addresses, sorted by ip address ###################
##############################################################################
##############################################################################
66.232.100.191 # 20100227,0550 usa
89.107.104.120 # 20100228,1550 ru
89.248.172.38 # 20100228,1550 nl
91.214.45.9 # 20100227,1251 belize
93.174.93.222 # 20100227,0508 nl
94.41.223.94 # 20100305,0544 russia
94.142.130.67 # 20100227,1251 lv
95.168.183.84 # 20100228,1547 de
123.125.156.134 # 20100228,1551 cn
129.121.64.124 # 20100819,0826 usa
129.121.65.124 # 20100819,0832
168.243.27.8 # 20100722,2218 san salvador spammer
188.92.74.91 # 20100312,0424 russia
188.168.170.205 # 20100722,2217 russian spammer
195.168.109.60 # 20100901,1749 svk
195.191.54.0/24 # 20100228,1549 lv
208.75.10.42 # 20100505,0918 usa
218.28.29.236 # 20100312,0420 china
##############################################################################
##############################################################################
########### Blocked addresses, sorted by number of access attempts ###########
##############################################################################
##############################################################################
497173 0.0.0.0 ()
219356 195.191.54.0 (VENDITORE)
##############################################################################
##############################################################################
##################### cumulated blocked access attempts ######################
##############################################################################
##############################################################################
495241 0.0.0.0
217316 195.191.54.0
45298 66.232.100.191
28128 93.174.93.222
10764 89.248.172.38
8147 91.214.45.9
253 123.125.156.134
208 129.121.64.124
96 188.92.74.91
84 94.142.130.67
77 208.75.10.42
3 89.107.104.120
##############################################################################
##############################################################################
########################### Firewall rules excerpt ###########################
##############################################################################
##############################################################################
# rather than adding all addresses as one long list
# (and have all network packets go through them),
# i "hash" them by ip address into seperate tables.
# this sequence creates these tables, and should be
# at the begin. All tables are also flushed to allow
# reloading the rules set easily.
SPAMPOLICY=DROP # use when adding spammer rules
iptables -F
iptables -Z
iptables -X
iptables -t nat -F
#iptables -N shuttle # forwarding to client through vpn
#RANGES=$(echo 12 24 {58..69} 72 75 77 {79..92} 95 118 122 124 125 147 158 166 189 190 {193..195} {200..204} {207..215} {218..222})
RANGES="89 94 188"
for RANGE in $RANGES
do
iptables -N spam$RANGE
done
# ----------------------------------------------------------------------------
#
# here i have my high-traffic rules, open the secure
# shell port (which i like to open early, in case i
# introduce mistakes to this rules files), vpn addresses
# and non-connecting packets on non-privileged ports.
# I.e. all the stuff i want to deal with before doing
# much filtering. Also, blocking packages coming in
# on WLAN with RFC1918 addresses, spoofed (myself) origins
# etc. Those rules are not shown here:
#
# ... high-traffic ACCEPTs
# ... spoof DROPs
# ... RFC 1918 DROPs
# ... ports exempted from range blocking
# ----------------------------------------------------------------------------
# This "hashs" the incoming packets into the rules which
# may contain wiki spammer blockers.
TABLE=() # erase array which flags presence of $RANGE tables
for RANGE in $RANGES
do
TABLE[$RANGE]=1 # flag in array that spam$RANGE table exists
iptables -A INPUT -s $RANGE.0.0.0/8 -j spam$RANGE # add a rule to jump to this table
done
# this function forms a rule add line when called with ip addr or range,
# extracting the range from ip address, and adding the rule to the proper table:
# if a table for an ip range exists, the rule is added to that table. if none
# exists, the rule is added to the INPUT table.
block() {
IPADDR=$1 # ip addr or ip addr range
RANGE=${IPADDR%%.*} # extract first octet from ip address
DEST=spam$RANGE # assume a table for range exists...
if [ -z ${TABLE[$RANGE]} ] ; then # ... but if there isn't...
DEST=INPUT # ... use table INPUT instead.
fi
iptables -A $DEST -s $IPADDR -j $SPAMPOLICY # add rule for ip address
}
# Finally, the blocking rules
# if this line changes, BlockedAdresses must be updated too
block 66.232.100.191 # 20100227,0550 usa
block 89.107.104.120 # 20100228,1550 ru
block 89.248.172.38 # 20100228,1550 nl
block 91.214.45.9 # 20100227,1251 belize
block 93.174.93.222 # 20100227,0508 nl
block 94.41.223.94 # 20100305,0544 russia
block 94.142.130.67 # 20100227,1251 lv
block 95.168.183.84 # 20100228,1547 de
block 123.125.156.134 # 20100228,1551 cn
block 129.121.64.124 # 20100819,0826 usa
block 129.121.65.124 # 20100819,0832
block 168.243.27.8 # 20100722,2218 san salvador spammer
block 188.92.74.91 # 20100312,0424 russia
block 188.168.170.205 # 20100722,2217 russian spammer
block 195.168.109.60 # 20100901,1749 svk
block 195.191.54.0/24 # 20100228,1549 lv
block 208.75.10.42 # 20100505,0918 usa
block 218.28.29.236 # 20100312,0420 china
#
# When CAPTCHAs were installed, the former blocked addresses and
# nets have been removed from the blocking rules. For references
# purposes, they can be seen at:
#
# http://scarydevilmonastery.net/sorry_nobody_home.txt
#
# --------------------------------------------------------------------------
#
#
# my other itables rules, opening misc services, follow here
#
#
# --------------------------------------------------------------------------
##############################################################################
##############################################################################
################ The script, used to generate this wiki page #################
##############################################################################
##############################################################################
#!/bin/sh
WIDTH=78 # width of section headers
HCHAR="#" # char for section header padding
RULESET="/etc/default/iptables.blocked"
RULESCRIPT="/etc/default/iptables.rules"
RULES="$(mktemp)"
FRAG1=/www/forthfreak/blocked/frag1
FRAG2=/www/forthfreak/blocked/frag2
SPAMBASE="/root/spambase"
if [[ "$1" != "update" ]] ; then
# rptchar char,n
rptchar () { for I in `seq $2` ; do echo -n "$1" ; done }
header () {
TEXT="$*"
LEFT=$((($WIDTH-${#TEXT})/2-1))
RIGHT=$(($WIDTH-$LEFT-${#TEXT}-2))
echo
rptchar "$HCHAR" $WIDTH ; echo
rptchar "$HCHAR" $WIDTH ; echo
rptchar "$HCHAR" $LEFT ; echo -n " $TEXT " ; rptchar "$HCHAR" $RIGHT ; echo
rptchar "$HCHAR" $WIDTH ; echo
rptchar "$HCHAR" $WIDTH ; echo
echo
}
INCLUDER='while read LINE ; do block $LINE ; done < $RULESET'
OUTPUT=0
while read LINE ; do
if [[ "$LINE" == "$INCLUDER" ]] ; then
awk '{print "block",$0}' < $RULESET
else
echo "$LINE"
fi
done < $RULESCRIPT |
while read LINE ; do
[[ "$LINE" == "# END WIKI SPAMMER BLOCK" ]] && OUTPUT=0
(( OUTPUT )) && echo $LINE
[[ "$LINE" == "# BEGIN WIKI SPAMMER BLOCK" ]] && OUTPUT=1
done > $RULES
(
echo This file has been generated automatically.
echo Last update: `date -u`
echo 'There is a growing number of link spammers, which i am blocking'
echo 'whenever a wiki page is "augmented" by dozens or hundreds of'
echo 'irrelevant links.'
echo 'This collection reflects link spammers since the installation of "captchas"'
header "Blocked addresses, sorted by list addition date"
echo rule addition date format is yyyymmdd,HHMM \(GMT\)
grep "^block " $RULES | cut -f2- -d" "|sort -r -k2 -t"#"
header "Blocked addresses, sorted by ip address"
grep "^block " $RULES | cut -f2- -d" "|sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4
header "Blocked addresses, sorted by number of access attempts"
) > $FRAG1
(
header "cumulated blocked access attempts"
for SPAMMER in $SPAMBASE/events_* ; do
echo "$(cat $SPAMMER) $(cut -f2 -d"_" <<< $SPAMMER)"
done | sort -nr
header "Firewall rules excerpt"
cat $RULES
header "The script, used to generate this wiki page"
cat $0) > $FRAG2
fi
# build whole output from both fragments, and a bit of
# live firewall request. this will also be done periodically
cat $FRAG1
# could proably be greatly simplified. (has been a bit already)
# spambase is a directory with files of pattern "events_n.n.n.n",
# where n.n.n.n is the spammer's ip adress or net. Each files contains
# a number, representing earlier access attempts before reloading of
# firewall. current stats are dumped into spambase before reloading.
sudo iptables -nvxL | grep "^ *[1-9].*DROP" | awk '{print $1,$8}' |
while read SPAMMER ; do
EVENTS="$(awk '{print $1}' <<< $SPAMMER)"
SPAMMERIP="$(awk '{print $2}' <<< $SPAMMER | cut -f1 -d/)"
PREVIOUSEVENTS="$SPAMBASE/events_$SPAMMERIP"
[[ -f $PREVIOUSEVENTS ]] && read PREVIOUSEVENTSCOUNT < $PREVIOUSEVENTS
echo "$(( ${PREVIOUSEVENTSCOUNT:-0}+EVENTS )) $SPAMMERIP ($(whois $SPAMMERIP 2> /dev/null | sed -n 's/netname:\( \|\t\)*//p'))"
done | sort -nr
cat $FRAG2
cat /tmp/double_ip_ranges
rm $RULES
range 129 could do with an own table: 2 rules match
range 195 could do with an own table: 2 rules match
