All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Do you geo block? What do you use?
This tends to get people pretty upset but seems extremely simple to me. 9/10 attacks come from either Russia/eastern Europe or China. If you have no intention of serving customers outside of your intended demographic then why not just block everyone else?
Additionally for the providers here where have you found the most abuse of your services geographically speaking?
So if you do geo blocking what do you use? I have systems in place for webservers but want it instead for firewall. Changing the ssh port, removing root login, setting up fail2ban services and encryption certs is good practice. But perhaps there is a bigger hammer I can also use here that I'm unaware of.
Comments
csf
I admin or run some forums, websites, etc (and their underlying infrastructure), double digit million uniques per month.
The most non-automated (shady, linkspam, SEO, spam in signatures, email spam, etc) spam comes from Sri Lanka, Bangladesh, India, Pakistan, Philippines, Russia (a few specific small ISPs), and the dirty afrinic IP space with fake whois (mostly used by VPN providers I think)
The most automated (scan brute etc) attacks come from China, India, various US home ISPs, random eastern european countries
No geo blocking. Only blocking based on abuse history. Some netblocks are shadowbanned automatically like all of host1plus/DET/logicweb/cloudinnovation because they only originate spam and abuse and have no legitimate users.
That's the questionable part that gets some people upset. It doesn't do much for the open internet and it doesn't feel good to be told that one is "outside somebody's intended demographic." Since I live in Canada and get this from US marketing geniuses all the time, I don't feel it is right to apply it to others either.
I'm sure it does.
https://github.com/trick77/ipset-blacklist
I use this on every server exposed on the Internet. It doesn‘t increase security but the auth.log is smaller
Geo blocking can be setup in the config file like
http://ipverse.net/ipblocks/data/countries/xx.zone" # Ban an entire country, see http://ipverse.net/ipblocks/data/countri
or any IP v4 list you like.
There is markable bandwith loose if full coutries are blocked. If iptables is large, most probably your box can perform sometimes 200-300Mbit/s even if you have 10gig connection... CSF traps or imunify in webhosting server will give much better result.
No geo based blocking here for diverse reasons one of them being that VPNs have changed the game quite a bit.
I use a solution based on carefully grown list of offender IP ranges that gets reevaluated now and then. New offenders trigger an email to abuse at their IP range and the range is entered into a grey list and truns black automatically unless a clear positive response is received. An IP in the grey list that offends again turns black no matter the abuse people reaction and additionally said IP range holder is entered to a provider grey list, which then ...
Not if you use ipsets.
Impressive! I especially like the abuse email report...
Many people have businesses or sites that can't deal with foreign individuals or have no desire to do so. Not sure why you would take that personally.
@sureiam
Might sound like work I know but actually it's less cumbersome once the engine is nicely running. I also like the fact that the providers tell me a lot not so much by what they say which usually is canned but by how they react, how quickly the react and whether they really cut off the offenders.
Ya it's a bit of work for sure but worthwhile! Glad it's been done by someone! Any insight into the most responsive providers?
+1 , you'll find a lot of blocklist (not only geoip) at https://github.com/firehol/blocklist-ipsets
I block Russia, Somalia, China, India, Bangladesh, Pakistan on my adsense sites. I got lot of spam clicks and Adsense team had warned me once. There are WP plugins or you can set Country block in Cloudflare. Its just matter of minutes. Entire country is blocked. This has benefited in increasing eRPM/RPM of my adsense account as maximum views are now coming only from U.S. and Canada and some parts in Europe.
Interesting I didn't even think of that (now fairly obvious) issue. Cloudflare is also not a bad option. Thanks for the insight
Hello,
LogicRemoved has a strict policy on spam or abuse on our IPs. Very strict infact. Our IPs are clear across RBLs, SpamHaus, Cisco Talos, Outlook (SNDS), etc. We absolutely forbid mass mailing on our IPs, forbid false rDNS requests (spammy domains or fake sub-domains). We also forbid fake whois change requests.
Side note, we have massive demand for bulk IPv4 leasing at LogicRemoved due to the advantages we offer. Geolocation is submitted to at least 5 database providers and pulled daily, updated within a few days once their updates are pushed through publicly.
Hope that clears out any misconception or confusion.
ufw default deny incoming
ufw default deny outgoing
Problem solved.
sudo route del default
Fuck that...
sudo ip route flush table main
And peace.
NotsureIam
The grace of God and these two fingers..
Look for WAF.
Agree (Chennai, India). There are openly advertised companies running "clicks on ads" factories. The thing is the authorities and the public are ignorant about this. The people who work for these companies (mostly crowdsourced) don't even realize that they are doing something illegal even after explaining and these companies are widely advertised on OlX, Quikr etc (like Craigslist, Gumtree)
I block large chunks with csf/ipset. Example: CN,IL,TW,TH,AG,MX,UY,RU.
I also use IP trap as a sort of honeypot, for the access attempts on Windoze-typical non-existent php files.
The most attacks come from USA & China.
Equally bad in my mind are the internal network port scans and broadcast packets, that providers prefer to ignore. Lusers that are mostly Windoze idiots. A subject for another thread?
Pretty smart to use a trojan to hack/attack I gotta say.
^ it's bloody plex,dropbox et al, set to broadcast, likely by default.
At least with webmin, for example, you need to manually search for other instances.
I block Apple useragents from the US and all IPs from India and Iran.
I use the maxmind lists
I'm satisfied.
We export the free firewall list from the following URL to block visitors by country.
https://www.ip2location.com/free/visitor-blocker
You don't need to block anyone and you don't need to do anything else. Just make your services secure (e.g. root login with key/decent password).
Mod edit: snipped
>
Snipped
Snipped
@LOGICWEB Did you really feel that it was necessary to ‘clarify’ on a six month old thread?