Blocking Annoyance Sites Like Stretchoid

These guys claim to be researchers.  They are researchers with over 24,000 IPv4 addresses?  Something’s fishy here.

On most systems you have a firewall.  You have a firewall at your router and you have a firewall at your workstation. In Linux you may use iptables and/or UFW.  The goal of these is to block IP addresses of users that you believe are nefarious or have no reasonable need to even be looking at your computer.

For instance, someone sending you email is a reasonable use.  Someone visiting your website is reasonable use.  Someone testing the ports on your email or web server is not reasonable.  In the strictest word those should be banned at the very first attempt to scan or break in.

In Linux you have UFW that can be quickly installed and enabled.  By default it denies all incoming.  You need to open ports to make it anything other than a block of everyone.  For instance, if you want to get into SSH via port 22 you would tell UFW to allow that either to everyone or to specific IP addresses.  Why to everyone?  You might do that because you could be using a cell phone or tablet remotely.  You might be at someone’s home or office.  There are ways to secure this in given situations.  But you would need to add a rule to UFW to allow that access since a default UFW setup is to block all.

Typically if you have an email server and web server and other things if you block all those services become useless even to you.  So you have to open ports to allow the internet to talk to them.  Services like email need port 465, 25, 993, etc.  Web sites need port 80.  So you’d create a rule in UFW to open those ports and allow all to access them.  It is a necessity.

The problem is that it opens them to everyone. Since we know there are nefarious people we need to be able to block individual IP addresses or ranges belonging to those nefarious people.

In UFW you would block the IP address by doing something like:

sudo ufw deny from <IP>

That rule goes to the bottom of the list of rules, and in UFW, the order of the rules matter.  So, even if you did deny that IP since the rules above it allow for the IP to access you can’t block them.  What you need to do is to add the rule at the top before the “allow” rules.

sudo ufw insert 1 deny from <IP>

This will put the rule at the very top.  When that IP comes in UFW will detect it and deny all access.  If you put it at the bottom UFW would just allow it when it hit the rule to allow all on port 80 (or the other email ports).

What happens though when you have an entity such as stretchoid that has a broad range of IPs.  In looking at the list of IP ranges that they control they have over 96 (and within each of those ranges is about 255 IP addresses) making a total of over 24,000 IPs. How do you block all those?

You’d use something like the following:

sudo ufw insert 1 deny from <IP>/24

<IP> in this case would be like 138.68.223.0/24

Notice the .0/24 that tells it to block that range of IPs.

If you insist on blocking individual IPs you’d have far too many rules.  If you chose to block ranges of IPs based on countries such as Vietnam, Russia, or Brazil you’d have so many IPs that it would burden your system, but if you block the ranges of IPs assigned to those countries then it simplifies things greatly.

In the case of Stretchoid these people are annoying.  If you block some ranges of IPs they have so many they’ll come back with more.  I know this because I had been blocking some IPs as I found them and then some ranges as I found those.

As time went by that task seemed daunting and annoyed me to no end.

What I did was seek out (search in Google for a list of) the IP ranges owned by Stretchoid and add them to a text file, then use a loop to add those while reading from the text file a line at a time. Here’s an example:

while read line; do sudo ufw insert 1 deny from $line; done < blockstretchoid.txt

I added their ranges to the blockstretchoid.txt and ran the above command at the terminal.  This added to UFW by inserting the new rule as the first rule for every line in the file. This blocks all Stretchoid IPs from trying to access my system.

This is a list of ranges that I have for Stretchoid (NOTE: I’ve added a few more at the bottom as I discovered them):

159.203.193.0/24
159.203.197.0/24
159.203.199.0/24
159.203.201.0/24
159.203.202.0/24
159.203.203.0/24
159.203.204.0/24
159.203.204.0/24
107.170.192.0/24
107.170.193.0/24
107.170.194.0/24
107.170.195.0/24
107.170.196.0/24
107.170.197.0/24
107.170.198.0/24
107.170.199.0/24
107.170.200.0/24
107.170.201.0/24
107.170.202.0/24
107.170.203.0/24
107.170.204.0/24
162.243.138.0/24
162.243.139.0/24
162.243.140.0/24
162.243.141.0/24
162.243.142.0/24
162.243.143.0/24
162.243.144.0/24
162.243.145.0/24
162.243.146.0/24
162.243.147.0/24
162.243.150.0/24
162.243.151.0/24
107.170.234.0/24
107.170.235.0/24
107.170.236.0/24
107.170.237.0/24
107.170.238.0/24
107.170.239.0/24
107.170.240.0/24
107.170.241.0/24
162.243.148.0/24
162.243.149.0/24
162.243.128.0/24
162.243.131.0/24
162.243.132.0/24
162.243.133.0/24
162.243.134.0/24
162.243.135.0/24
162.243.136.0/24
162.243.137.0/24
107.170.249.0/24
107.170.250.0/24
107.170.251.0/24
107.170.252.0/24
107.170.254.0/24
198.199.95.0/24
198.199.96.0/24
198.199.97.0/24
192.241.193.0/24
192.241.195.0/24
192.241.198.0/24
192.241.203.0/24
192.241.206.0/24
192.241.208.0/24
192.241.209.0/24
192.241.213.0/24
192.241.215.0/24
192.241.223.0/24
192.241.226.0/24
192.241.229.0/24
192.241.230.0/24
192.241.236.0/24
192.241.239.0/24
192.241.204.0/24
198.199.104.0/24
198.199.103.0/24
198.199.105.0/24
198.199.106.0/24
198.199.100.0/24
138.68.210.0/24
138.68.212.0/24
138.68.213.0/24
138.68.214.0/24
138.68.215.0/24
138.68.216.0/24
138.68.218.0/24
138.68.219.0/24
138.68.220.0/24
138.68.222.0/24
138.68.209.0/24
138.68.208.0/24
138.68.211.0/24
138.68.217.0/24
138.68.221.0/24
138.68.223.0/24
162.243.130.0/24
162.243.129.0/24
192.241.238.0/24
192.241.237.0/24
192.241.199.0/24