Network Security and Blocking Whole IP Blocks

A

agentblack

New member
So, I wanted to get a feel for peoples thoughts on this.

Typically we have handled hacking attempts by just blocking the offending IP plus one on either side of the offending IP. This has seemed to work well, however, yesterday as I was looking over our blocked list it seems that the vast majority of the offenders are coming from ChinaTelcom.

Now, as I like to be informed when someone is attempting to access a part of the server they shouldn't, we have set the failed log in's fairly low at 5 times before you are blocked by the cphulk, 10 times and you are permabanned until you talk to tech support.

I don't have exact numbers sitting in front of me at the moment, however, yesterday morning, I decided to block the entire ChinaTelcom ARIN Assigned IP Block from the network. Now typically in a 24 hour period, I would get no less than 10 alerts of someone attempting to brute or otherwise into the server.

Since blocking all of ChinaTelcom, I have gotten 1. I am wondering if others have taken the unusual step of blocking an entire provider from their network, or am I just over reacting?

I am fully aware that this may be blocking legitimate users who may want to use my services, however, given the sheer volumes of IP's already blocked from ChinaTelcom, this seems moot as it appears all ChinaTelcom is is a hacker's free for all on their network. Personally i believe taking the proactive approach by banning the IP's from the network is less costly vs leaving them unblocked.

Anyone else have an opinion?

Regards,
James
 
Blocking IP numbers doesn't do much good. There's many thousands of proxies that you can use to bypass IP blocks - this also goes for ISPs and country blocks.

Blocking countries does help - at least you'll block a script kiddie, but someone who takes the extra 60 seconds and routes the connection through a Proxy will have no problem accessing things. That's when you go the next step and block Free Proxies from accessing your servers - but again, not everything is on a list, so you're only blocking those that don't take the extra few minutes to re-route the traffic.

Monitoring logs, blocking based on attempts - that's the way to go. If you can reduce your number of attempts through range and country blocks - that's great. Just keep an extra eye on your logs to make sure that they're not bypassing the blocks and using proxies to continue their attempts.

Setting blocks based on attempts is a great way to temporarily block someone and is usually enough to force automated programs and script kiddies to move on to the next location. If you can block 95% with just a few actions, that's a pretty good start in my book!
 
Have u ever considered only allowing the ip of the people allowed to view a section to view it and block all others? Would mean no one that wasn't supposed to view it simply couldn't?
 
Yes. When we do web development and testing of things, we have it blocked out unless you're on a specific allow list.

If you go to http://www.handsonwebhosting.info, you'll find that you're not allowed to access the site while we're in development. Once the design goes live, the restrictions will be lifted and the site copied to the .COM extension.

This also helps prevent search engines from spidering through your site and indexing content that it has no business doing.

An "ALLOW_IP" command is designed much differnetly than a DENY_FROM_IP type command.
 
Edgareatis said:
Have u ever considered only allowing the ip of the people allowed to view a section to view it and block all others? Would mean no one that wasn't supposed to view it simply couldn't?
Click to expand...

Well this is for like our SSH ports (which will be changing again soon), cpanel log in screen, whm log in, webmail, etc.

I believe it is the script kiddies honestly since blocking the IP's on either side of the offending one helped alot, but it got to the point that the entire ChinaTelcom provider were hackers. :smash: Which is why I took the step of blocking the entire provider, and let me be the first to say, the last two nights of sleep have been the BEST since my phone isn't constantly going off with alerts.
 
If you know where the culprits are coming from then why not block the whole range. There are good and bad points to blocking whole ranges or countries, it's really just down to your personal preference.
 
The only thing I'd caution someone on blocking an IP range is that they make sure they're aware that they haven't resolved any issue - they've only thrown a few rocks on the path to make it harder to get to the front door.
 
From my review, it just appears that they are using scripts, i mean honestly who in their right mind has accounts like:

abc
user
admin
root
etc

.. other than root, most normal folks dont have accounts like that.. they are throwing spit wads in the dark hoping one sticks and so far its not working.

Call me slightly paranoid but I constantly change the root passwords on the servers and they are usually between 16 and 64 characters long, with no password being reused.
 
IP is listed with a particular blacklist does not mean that you are sending spam, just that particular blacklist suggests not to accept mail directly from that IP address.
There are also services that provides single location to check the status of the IP address on third party blacklist.
 
Our IP's arn't in question, we maintain tight controls on our email servers to prevent spam abuse, however one particular blacklist provider insists on being a dolt and listing us just because many years before we went into business someone had this IP address and sent spam.

The topic was blocking whole IP ranges due to their continued brute force or otherwise hacking attempts of the servers and network, not the sending or receiving of spam. Hopefully this clears things up a bit :)
 
It would be better to install firewall software for example csf+apf it will detect any suspicious activity and block only offending IPs automatically.
 
myidealhost said:
It would be better to install firewall software for example csf+apf it will detect any suspicious activity and block only offending IPs automatically.
Click to expand...

This is not true.
you cannot install both csf and apf on the same install. if you have csf installed the system will not allow apf to be installed and visa versa.

so you can only install one of these firewalls
 
Well, since blocking ChinaTelcom, we have only had a total of 10 attempts from other sources, all random, and reverting back to our previous method, blocking the IP on either side of the offending one seems to cure that issue.

This experiment seems to have been worth while!
 
Sounds like a good deal for you then. If you're not targeting those specific regions to begin with, there's nothing wrong with blocking the entire country from seeing your site. We have a few country blocks setup for our sites, and it's just an easier way of working. An ecommerce account that I manage only ships their product within the US - so every country other than the US is blocked... that stops the searches etc. It doesn't stop proxy attempts, but it's a good weeding out at a basic level.

Happy to hear things are back on track for you again.
 
handsonhosting said:
Sounds like a good deal for you then. If you're not targeting those specific regions to begin with, there's nothing wrong with blocking the entire country from seeing your site. We have a few country blocks setup for our sites, and it's just an easier way of working. An ecommerce account that I manage only ships their product within the US - so every country other than the US is blocked... that stops the searches etc. It doesn't stop proxy attempts, but it's a good weeding out at a basic level.

Happy to hear things are back on track for you again.
Click to expand...

Thanks! It's been the best week of sleep ever! I don't specifically target our services to any country that is looking for a US provider, but I'm glad to hear that I am not committing the mortal sin of web hosting here!
 
You must log in or register to reply here.

Supporters

Back
Top