Results 1 to 16 of 16
Thread: How to block the world?
-
07-04-2009, 09:14 PM #1WHT Addict
- Join Date
- Jan 2005
- Location
- Shelbyville, TN
- Posts
- 118
How to block the world?
Hello,
IM about tired of spam and hackers putting phishing items on my server.
My question is.
How can I block the whole world expect for US, CA and UK?
I've added several countrys to csf's csf.deny list but half of them keep disappearing.
Looking for a good solution here.
Thanks for any help you can give.
Robert
-
07-04-2009, 09:34 PM #2Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 634
I personally wouldn't do that, if I was hosting with someone and no one except people living in CA, US, or the UK could access my website I would move to a new host
-
07-04-2009, 10:09 PM #3Newbie
- Join Date
- Jun 2009
- Posts
- 28
Ask your DC to block the range of ip's in router ..they will do that for you
Thanks
Cyrus Aka Dave
-
07-04-2009, 10:20 PM #4Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
What DC is that? Any i have talked with would never block IPs for you like that in the router for a single client. If they had a hardware firewall they might suggest purchasing one though.
http://en.wikipedia.org/wiki/Classle...Domain_Routing
0.0.0.0/0 I believe will block all ips. Then allow the countries you want in the allow file.
There are a few websites out there that will give you a list of IPs from a country - which are not always accurate.John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
07-04-2009, 11:29 PM #5Intangible Asset Appraiser
- Join Date
- Mar 2009
- Location
- Austin Tx
- Posts
- 2,007
I have a script that does this, but it's very easy to just put the iptables (can look up the countries wanted to block at ARIN) and block
Wanna block APNIC? Example -
iptables -A INPUT -s 112.0.0.0/8 -j DROP
iptables -A INPUT -s 113.0.0.0/8 -j DROP
iptables -A INPUT -s 115.0.0.0/8 -j DROP
iptables -A INPUT -s 116.0.0.0/8 -j DROP
iptables -A INPUT -s 117.0.0.0/8 -j DROP
iptables -A INPUT -s 118.0.0.0/8 -j DROP
iptables -A INPUT -s 118.0.0.0/8 -j DROP
iptables -A INPUT -s 120.0.0.0/8 -j DROP
iptables -A INPUT -s 121.0.0.0/8 -j DROP
iptables -A INPUT -s 122.0.0.0/8 -j DROP
iptables -A INPUT -s 123.0.0.0/8 -j DROP
iptables -A INPUT -s 124.0.0.0/8 -j DROP
iptables -A INPUT -s 125.0.0.0/8 -j DROP
iptables -A INPUT -s 126.0.0.0/8 -j DROPThis is the best signature in the world....Tribute!
(It is not the best signature in the world, no. This is just a tribute)
-
07-04-2009, 11:50 PM #6Junior Guru
- Join Date
- Jun 2009
- Location
- Singapore
- Posts
- 205
If you're going to do it to your entire host, I suggest that you don't do it. I would be quite annoyed if my host only allows US, CA and UK people to access my site.
bikster.com - Quality Hosting. Affordable Prices.
Providing premium quality shared and reseller cPanel/WHM hosting at low prices!
Reseller cPanel/WHM hosting solutions that you can afford
-
07-05-2009, 12:32 AM #7Intangible Asset Appraiser
- Join Date
- Mar 2009
- Location
- Austin Tx
- Posts
- 2,007
As for me, on the particular servers I do this on, the customers highly support it.
They don't sell to anything but North America, nor receive (or want to receive) email from the same.
Luckily, you can pick and choose the countries you want to block.
Suggesting someone doesn't do this is really pointless...that would be up to the individual employing and impact it would have. I would suggest carefully considering all the ramifications first. Of course, it's about as easy as it gets to undo in all or in part.
I have found that hack / bruteforce / spam has been decreased by almost 75%.
I would suggest checking with any paying clients on any boxes you block, to see if it would have any ill effect on their business.
Barring that, I have never had legitimate traffic from APNIC (example) that hasn't been some kind of hack / spam attempt.
For me, it works great. So much, I've had it published under my tech sites "giving back" section for any that want it. Both *nix / Win Iptables versions. Editable, of course.This is the best signature in the world....Tribute!
(It is not the best signature in the world, no. This is just a tribute)
-
07-05-2009, 12:34 AM #8Retired Moderator
- Join Date
- Jan 2005
- Location
- Darwin, Australia
- Posts
- 1,339
Secure the server properly! Spam and pishing items being installed on your server regularly suggest your server isn't secure.
The only effective way I've heard of blocking entire country ranges without a hardware firewall is to use GeoIP
CN RU and PL are the most common culptritsWeb Hosting Plus
Premium Australian Web Hosting
-
07-05-2009, 01:00 AM #9Intangible Asset Appraiser
- Join Date
- Mar 2009
- Location
- Austin Tx
- Posts
- 2,007
I block them (and have distributed a script that does so for years) quite effectively with IPTables. Country assigned IP blocks are public information from IANA.
http://www.iana.org/assignments/ipv4-address-space/
Pick 'n' choose.This is the best signature in the world....Tribute!
(It is not the best signature in the world, no. This is just a tribute)
-
07-05-2009, 01:38 AM #10WHT Addict
- Join Date
- Jan 2005
- Location
- Shelbyville, TN
- Posts
- 118
My server is secured. I even had another admin take a look and he too said there was nothing more to be done. My next step is to start blocking. So far I blocked Romania, Pakastan, India, Sigapore, Russia, China, Nigeria, and today Egypt because of another attempt.
so instead of just waiting for the next one I just want to block everyone that has no business to look at my server.
And thanks i'll look up geoIP
-
07-05-2009, 06:16 AM #11Web Hosting Master
- Join Date
- Nov 2001
- Location
- Vancouver
- Posts
- 2,422
"another attempt" - Question for the OP: what sort of attempt? Is this ssh dictionary style attacks you are talking about?
Re blocking for SMTP purposes, I do this but I don't block whole countries anymore. Used to but I haven't found it necessary due to refinements to how I deal with SMTP connections.
I now use GeoIP early on in the connection phase of every new SMTP connection; certain countries are given a weighted "risk" out of the gate; if other aspects of the SMTP connection are also suspect (no rdns, improper HELO, RBL inclusion, etc) the weight will cause the connection to almost certainly be dropped.
The worst offenders (X number of connections per minute, Y number simultaneous connections, from countries deemed suspect) get automatically added to a banned-ips list in a firewall rule set. Since the list gets built up automatically I don't keep it around on file; here's the contents following a recent flush.
Code:smtp-offenders 186.56.73.49 AR, Argentina 211.27.146.226 AU, Australia 65.173.59.137 BO, Bolivia 187.4.195.137 BR, Brazil 189.106.120.215 BR, Brazil 189.12.136.200 BR, Brazil 189.121.211.4 BR, Brazil 189.31.178.59 BR, Brazil 189.75.121.172 BR, Brazil 189.80.25.130 BR, Brazil 201.14.89.87 BR, Brazil 201.36.232.5 BR, Brazil 201.78.137.91 BR, Brazil 62.40.68.4 CZ, Czech Republic 82.201.195.199 EG, Egypt 190.53.51.173 HN, Honduras 79.179.47.88 IL, Israel 123.142.20.162 KR, Korea, Republic of 189.238.30.166 MX, Mexico 80.203.61.236 NO, Norway 121.97.220.227 PH, Philippines 81.168.183.66 PL, Poland 93.185.181.154 RU, Russian Federation 94.181.42.138 RU, Russian Federation 95.68.183.134 RU, Russian Federation 217.199.231.249 UA, Ukraine 113.22.96.206 VN, Vietnam 125.214.50.186 VN, Vietnam 222.253.235.174 VN, Vietnam 222.253.95.16 VN, Vietnam
“Even those who arrange and design shrubberies are under
considerable economic stress at this period in history.”
-
07-05-2009, 06:32 AM #12******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com
-
07-05-2009, 10:55 AM #13WHT Addict
- Join Date
- Jan 2005
- Location
- Shelbyville, TN
- Posts
- 118
Somehow there using a backdoor and placing phishing files on the server into clients directory.
-
07-05-2009, 11:26 AM #14Junior Guru Wannabe
- Join Date
- Mar 2009
- Location
- Near You..
- Posts
- 81
Using a hardware firewall or with GeoIP , you can do the same. It is sure that a properly hardened server will be protected from most of the phishing/spamming attempts. I would suggest you to do a complete security audit and checks.
-
07-05-2009, 01:15 PM #15Web Hosting Master
- Join Date
- Nov 2001
- Location
- Vancouver
- Posts
- 2,422
Locking down the backdoors would seem to be a priority then. Blocking IP's by country might be a useful short term measure, but if your server(s) are a sitting duck and they are determined to keep using it, they can always use a North American proxy to get at you.
Besides... there are plenty of bad guys in North America. In my current ssh block list (which was flushed earlier today) I have about 1/4 US and Canada addresses, a few less from Great Britain; the rest are mostly China and a few Columbia. When a block table has been collecting IP addresses for longer I tend to see most of the concentration from China and Vietnam; The remainder - perhaps 1/4 to 1/3 to 1/2 of the total - include US, CA and MX as well as a broad mix from some Latin American countries (CO, BR in particular), a few RU, PL, and other eastern Europeans. And a smattering of folks from NL, FR, IL, EG, and elsewhere.
My point is you may still see attacks even after blocking off most of the world. Updating or banning vulnerable userland software would seem to be necessary first.“Even those who arrange and design shrubberies are under
considerable economic stress at this period in history.”
-
07-05-2009, 01:31 PM #16Web Hosting Master
- Join Date
- Apr 2002
- Location
- USA
- Posts
- 5,783
Safest thing to do is unplug it from the internet.
That way you can be the only one to access the server and it is then safe from hackers.
Similar Threads
-
How to Block a Block of IP'S
By LP560 in forum Hosting Security and TechnologyReplies: 3Last Post: 01-10-2007, 05:45 PM -
To block or not to block mouse right bottom click?
By Oleks in forum Web Design and ContentReplies: 56Last Post: 02-23-2005, 12:53 PM -
Using .htacces block how do i block .css downloads
By Mosaic in forum Programming DiscussionReplies: 10Last Post: 10-01-2004, 11:26 AM -
Is World Pay or World Direct 3rd party processors or what?
By amos462001 in forum Ecommerce Hosting & DiscussionReplies: 23Last Post: 08-14-2004, 07:34 AM -
Forum’s private messages? To block or not to block? This is a question!
By Oleks in forum Web Design and ContentReplies: 1Last Post: 05-19-2004, 07:42 AM