Use ipset on your virtual host.
There are at least 150 countries which you are not going to connect from. e.g. syria.
So block ingress from those countries.
And then block some more.
ipset is so efficient (hash-based iptables) that there is no throughput degradation with many, many filtered netblocks.
Thu Oct 12 21:39:30 EDT 2017
21:39:30 up 17 days, 2:07, 5 users, load average: 0.05, 0.07, 0.08
Linux ziva 4.4.0-96-generic #119~14.04.1-Ubuntu SMP Wed Sep 13 08:40:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
-----------------
IPTABLES summary:
0 0 REJECT udp match-set block-by-ip src reject-with icmp-port-unreachable
46 2320 REJECT tcp match-set block-by-ip src reject-with tcp-reset
4 2669 REJECT udp match-set block-by-country src reject-with icmp-port-unreachable
3809 195K REJECT tcp match-set block-by-country src reject-with tcp-reset
-----------------
Block-by-IP filter set
TOP 25 COUNTRIES in IP BLOCKS since Wed Oct 11 00:21:50 EDT 2017:
PACKETS ORIGIN
36 US United States
4 NL Netherlands
3 FR France
1 ES Spain
1 CA Canada
1 BE Belgium
TOP 25 IP ADDRESSES (of 27 total) in IP BLOCKS since Wed Oct 11 00:21:50 EDT 2017:
PACKETS IP ADDRESS ORIGIN
12 104.131.127.75 US United States New Jersey, Clifton, (Digital Ocean, Inc.)
6 107.150.58.196 US United States Missouri, Kansas City, (DataShack, LC)
3 64.187.217.234 US United States California, Los Angeles, (U.S. COLO, LLC)
2 104.131.30.247 US United States New Jersey, Clifton, (Digital Ocean, Inc.)
1 98.160.119.44 US United States Oklahoma, Bixby, 74008, (Cox Communications Inc.)
1 94.142.242.84 NL Netherlands N/A, N/A, N/A, (Netwerkvereniging Coloclue)
1 85.150.101.113 NL Netherlands N/A, N/A, N/A, (Euronet Communications B.V.)
1 78.224.195.41 FR France Provence-Alpes-Cote d'Azur, Peyrolles-en-provence, (Free SAS)
1 78.212.228.175 FR France Aquitaine, Vieux-boucau-les-bains, 40480, (Free SAS)
1 76.104.47.239 US United States Virginia, Glen Allen, (Comcast Cable Communications, LLC)
1 75.118.6.103 US United States Ohio, Hilliard, 43026, (WideOpenWest Finance LLC)
1 72.52.75.27 US United States California, Fremont, 94539, (Hurricane Electric, Inc.)
1 71.6.146.186 US United States California, San Diego, (CariNet, Inc.)
1 66.35.51.195 US United States Colorado, Denver, 80216, (FORTRUST)
1 66.180.193.219 US United States California, Los Angeles, (Cyberverse, Inc.)
1 65.19.167.131 US United States California, Fremont, 94539, (Hurricane Electric, Inc.)
1 51.15.63.229 NL Netherlands Noord-Holland, Haarlem, 2034, (Online S.a.s.)
1 51.15.53.83 NL Netherlands Noord-Holland, Haarlem, 2034, (Online S.a.s.)
1 24.4.60.180 US United States California, San Jose, (Comcast Cable Communications, LLC)
1 24.119.126.64 US United States Idaho, Caldwell, 83607, (Cable One, Inc.)
1 23.16.101.236 CA Canada N/A, N/A, N/A, (TELUS Communications Inc.)
1 2.139.78.32 ES Spain Canarias, Puerto De (Telefonica De Espana)
1 208.100.26.232 US United States Illinois, Chicago, 60607, (Steadfast)
1 192.74.226.140 US United States California, San Jose, (PEG TECH INC)
1 178.116.138.143 BE Belgium West-Vlaanderen, Wilskerke, 8431, (Telenet BVBA)
BLOCKLIST EFFECTIVENESS (50550 IPs total, 48956 IPs after deduplication, 13607 IPs after country-culling, 27 IPs blocked)
14 block-by-ip-blocklist.txt (40226)
11 block-by-ip-rutgers.txt (2964)
9 block-by-ip-torproject.txt (3768)
7 block-by-ip-tordanlist.txt (753)
3 block-by-ip-emergingthreats.txt (1381)
3 block-by-ip-badips.txt (3260)
-----------------
Block-by-Country filter set
TOP 50 COUNTRIES (of 150 configured) in COUNTRY BLOCKS since Sat Oct 7 10:06:24 EDT 2017:
PACKETS ORIGIN
707 CN China
648 UA Ukraine
384 RU Russian Federation
224 MX Mexico
189 TT Trinidad and Tobago
150 BG Bulgaria
140 CL Chile
118 ZA South Africa
118 VN Vietnam
95 US United States
89 ID Indonesia
75 HR Croatia
72 PL Poland
72 JP Japan
70 PH Philippines
68 BR Brazil
58 AR Argentina
57 RS Serbia
43 MD Moldova, Republic of
39 TN Tunisia
32 TW Taiwan
31 IN India
31 CR Costa Rica
24 KR Korea, Republic of
24 HK Hong Kong
24 DO Dominican Republic
23 NL Netherlands
23 HU Hungary
23 DZ Algeria
14 TH Thailand
14 IR Iran, Islamic Republic of
13 MY Malaysia
12 LV Latvia
12 CZ Czech Republic
11 AZ Azerbaijan
9 KW Kuwait
8 SC Seychelles
7 SG Singapore
7 PE Peru
7 IQ Iraq
7 EC Ecuador
5 JO Jordan
4 IL Israel
3 TR Turkey
3 NG Nigeria
3 KZ Kazakhstan
3 EG Egypt
3 BD Bangladesh
2 UY Uruguay
2 QA Qatar
TOP 50 CIDRs (of 347 total) in COUNTRY BLOCKS since Sat Oct 7 10:06:24 EDT 2017:
PACKETS CIDR ORIGIN
251 60.160.0.0/11 CN China Yunnan, Kunming, N/A, (No.31,Jin-rong Street)
189 46.0.0.0/16 RU Russian Federation Samara, Samara, 404146, (JSC ER-Telecom Holding)
189 190.58.0.0/15 TT Trinidad and Tobago N/A, N/A, N/A, (Telecommunication Services of Trinidad and Tobago)
144 213.169.32.0/19 BG Bulgaria N/A, N/A, N/A, (Mobiltel Ead)
140 37.115.0.0/16 UA Ukraine Dnipropetrovs'ka Oblast', Dnepropetrovsk, (Kyivstar PJSC)
127 187.128.0.0/11 MX Mexico N/A, N/A, N/A, (Address not found)
123 77.91.128.0/18 UA Ukraine N/A, N/A, N/A, (Telesystems of Ukraine LLC)
108 186.156.0.0/16 CL Chile Atacama, Copiapo, N/A, (VTR BANDA ANCHA S.A.)
98 113.56.0.0/15 CN China Hubei, Wuhan, N/A, (CHINA UNICOM China169 Backbone)
91 58.240.0.0/12 CN China Jiangsu, Nanjing, N/A, (CHINA UNICOM China169 Backbone)
90 189.224.0.0/11 MX Mexico Nuevo Leon, Monterrey, (Uninet S.A. de C.V.)
88 196.52.0.0/14 US United States New Jersey, Edison, (IO Capital Princess, LLC)
83 188.163.0.0/16 UA Ukraine Kyyiv, Kiev, N/A, (Kyivstar PJSC)
72 46.118.0.0/15 UA Ukraine Dnipropetrovs'ka Oblast', Dneprodzerzhinsk, (Kyivstar PJSC)
66 93.136.0.0/13 HR Croatia Grad Zagreb, Zagreb, (Hrvatski Telekom d.d.)
61 195.211.216.0/21 RU Russian Federation Saint Petersburg City, (OOO Sestroretskoe Cable Television)
57 93.72.0.0/13 UA Ukraine Kyyiv, Kiev, N/A, (Volia)
57 24.135.0.0/16 RS Serbia N/A, N/A, N/A, (Serbia BroadBand-Srpske Kablovske mreze d.o.o.)
57 114.56.0.0/14 ID Indonesia Jawa Tengah, N/A, (INDOSATM2 ASN)
51 91.200.0.0/20 UA Ukraine Kyyiv, Kiev, N/A, (Orion City LLC)
51 78.111.176.0/20 UA Ukraine N/A, N/A, N/A, (Intertelecom Ltd)
51 169.0.0.0/15 ZA South Africa Western Cape, Cape (Afrihost)
50 188.162.0.0/16 RU Russian Federation Novosibirsk, N/A, N/A, (PJSC MegaFon)
39 197.0.0.0/11 TN Tunisia Tunis, Kram, N/A, (TOPNET)
38 196.250.216.0/21 ZA South Africa not found (Neotel Pty Ltd)
36 178.136.0.0/15 UA Ukraine Kyyiv, Kiev, N/A, (Private Joint-stock Company farlep-invest)
35 180.76.0.0/14 CN China Beijing, Beijing, N/A, (Beijing Baidu Netcom Science and Technology Co., Ltd.)
33 95.65.0.0/17 MD Moldova, Republic of Chisinau, Chisinau, N/A, (Starnet Servicii SRL)
29 186.26.112.0/20 CR Costa Rica N/A, N/A, N/A, (Telgua)
27 58.192.0.0/11 CN China Jiangsu, Lianyungang, N/A, (China Education and Research Network Center)
27 157.104.0.0/13 JP Japan N/A, N/A, N/A, (Address not found)
25 196.208.0.0/13 ZA South Africa Gauteng, Johannesburg, 2000, (IS)
25 113.160.0.0/11 VN Vietnam Ha Noi, Hanoi, (VNPT Corp)
24 186.150.0.0/16 DO Dominican Republic Distrito Nacional, Santo (TRICOM)
24 185.13.232.0/22 PL Poland Podlaskie, Bialystok, 15-019, (KOBA Sp. z o.o.)
23 185.203.240.0/21 NL Netherlands not found (NovoServe B.V.)
23 105.96.0.0/12 DZ Algeria N/A, N/A, N/A, (Telecom Algeria)
21 103.79.140.0/22 VN Vietnam Ha Noi, Hanoi, (VNPT Corp)
18 95.160.0.0/16 PL Poland Mazowieckie, Warsaw, 02-523, (Vectra S.A.)
18 201.32.0.0/13 BR Brazil Rio de Janeiro, (Telemar Norte Leste S.A.)
18 182.18.192.0/18 PH Philippines Manila, Pasig City, (SKYBroadband SKYCable Corporation)
16 114.32.0.0/12 TW Taiwan T'ai-pei, Taipei, N/A, (Data Communication Business Group)
15 47.29.0.0/16 IN India Bihar, Nadghat, 800007, (Reliance Jio Infocomm Limited)
15 190.44.0.0/14 CL Chile Araucania, Temuco, N/A, (VTR BANDA ANCHA S.A.)
15 190.192.0.0/14 AR Argentina Buenos Aires, Chacabuco, (Prima S.A.)
15 181.41.192.0/19 CL Chile N/A, N/A, N/A, (Digital Energy Technologies Chile SpA)
15 130.105.0.0/16 PH Philippines N/A, Acacia, 1474, (SKYBroadband SKYCable Corporation)
15 124.104.0.0/14 PH Philippines Manila, Makati, 1214, (Philippine Long Distance Telephone Company)
15 121.101.128.0/21 ID Indonesia Jawa Tengah, Magelang, (PT SELARAS CITRA TERABIT)
14 81.16.192.0/20 HU Hungary Gyor-Moson-Sopron, Sopron, 9400, (ZNET Telekom Zrt.)
-----------------
fail2ban filter set
LAST 10 IPs BLOCKS VIA FAIL2BAN (currently 5 active rules):
PACKETS IP ADDRESS ORIGIN BANTIME REASON
0 195.154.236.242 FR France 2017-10-09 19:20:39 [ssh] N/A, N/A, N/A, (Online S.a.s.)
0 185.190.58.244 US United States 2017-10-10 01:06:14 [ssh] New Jersey, Piscataway, (Hostkey B.v.)
0 195.154.56.164 FR France 2017-10-10 17:05:12 [ssh] N/A, N/A, N/A, (Online S.a.s.)
0 93.39.252.194 IT Italy 2017-10-10 17:38:29 [ssh] Lombardia, Cormano, 20032, (Fastweb)
0 206.124.17.40 US United States 2017-10-10 21:22:14 [ssh] Colorado, Denver, 80228, (privateI, LLC)
21 66.223.173.179 US United States 2017-10-11 10:12:25 [ssh] Alaska, Anchorage, 99517, (GENERAL COMMUNICATION, INC.)
3 52.172.218.109 IN India 2017-10-11 11:03:05 [ssh] Maharashtra, Pune, 411001, (Microsoft Corporation)
13 212.129.23.95 FR France 2017-10-11 17:16:49 [ssh] N/A, N/A, N/A, (Online S.a.s.)
7 203.221.67.59 AU Australia 2017-10-12 00:32:04 [ssh] New South Wales, (TPG Telecom Limited)
108 173.212.226.28 DE Germany 2017-10-12 18:44:30 [ssh] N/A, N/A, N/A, (Contabo GmbH)
(*) a zero in the packets column indicates that a) the entry has recently expired or b) no packets have arrived since the filter was added.
-----------------
Name: block-by-ip
Type: hash:ip
Revision: 2
Header: family inet hashsize 8192 maxelem 65536 counters
Size in memory: 873920
References: 2
Entries: 13607
Name: block-by-country
Type: hash:net
Revision: 4
Header: family inet hashsize 16384 maxelem 65536 counters
Size in memory: 2449536
References: 2
Entries: 55983
------------------------------------------------------------------------------------------
methodology:
three packet filter stages are implemented:
1. Block-by-IP (static)
2. Block-by-Country (static)
3. fail2ban (dynamic)
1. the IP addresses in the Block-by-IP list are the union of seven different public lists of IPs,
from geographically different areas and using differing criteria for IP address inclusion.
the merged list is sorted, and duplicate IP addresses culled.
http://report.rutgers.edu/DROP/attackers
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://www.openbl.org/lists/base.txt
https://lists.blocklist.de/lists/all.txt
https://www.badips.com/get/list/any/3?age=2w
https://www.dan.me.uk/torlist/?exit
https://check.torproject.org/exit-addresses
2. the netblock addesses in the Block-by-Country list are from public IANA assignments, however
some geographic opaqueness can be expected as service providers in many instances assign portions
of IP address netblocks across national boundaries.
http://www.ipdeny.com/ipblocks/data/countries
notes:
in order to prevent double-checking of incoming packets during operation, each IP address in
the Block-by-IP list is checked against presence within a netblock in the Block-by-Country
list, and if a match is found the IP address is discarded from the Block-by-IP list. as a
result, incoming packets are checked against the Block-by-IP list and Block-by-Country list
sequentially, and match/no-match determination is independent of order of check. by extension,
however, the apparent effectiveness of the public lists of IP's is reduced, as a fair number
(typ. ~65%) of IP addresses are discarded by the comparison-check process.
both the Block-by-IP and Block-by-Country lists are implemented at the packet filter layer via ipset;
ipset is a tool for creating and utlizing hash data structures for extemely fast address comparison.
using ipset results in a very small number of actual iptables rules (which are linearly evaluated)
referencing ipsets (each of which are hash-evaluated). ipsets can contain many tens of thousands of
IP addresses or CIDR netblocks with no appreciable network throughput degredation.
http://ipset.netfilter.org/index.html
example:
# iptables -L -v -n | grep set
1 848 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 match-set block-by-ip src reject-with icmp-port-unreachable
1018 52696 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set block-by-ip src reject-with tcp-reset
7 886 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 match-set block-by-country src reject-with icmp-port-unreachable
5402 286K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set block-by-country src reject-with tcp-reset
3. fail2ban is employed to backstop the above static filtering; fail2ban automatically introduces
new packet filter rules in response to repeated unauthorized login attempts or similar unwanted
behavior. these filter rules expire after a user-defined period.
------------------------------------------------------------------------------------------