New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Take a look at Crowdsec for ip block lists. They have an IPS agent for many different products and a bouncer that can block based on their community feed and your IPS output. Like fail2ban on steroids.
I don't block any specific countries, but I run game servers and will kick any players connecting from any known VPN/Datacenter IPs as they're common for bots and ban evasion.
I get tons of SSH attacks and they mostly come from mainland chinese IP's
That's what hackers do, ordinary people just browse youtube facebook.
Chinese B2B is great money, the general Chinese population? Terrible money, even once you get past the VPN's.
I agree, there are some Chinese businessmen that I have encountered who are fantastic to deal with and very straight to the point vs the typical Western way, but the consumer mindset of filing disputes and chargebacks doesn't bode well in the Western markets.
Add the VPNs, the wall, the language barrier, the consumer mindset, it's one hell of a challenge - but there are 1.6 billion people in China and that's gotta be worth something to the right person.
I see almost the same quantity of scans & hacking attempts from 'murica, as from IN, CN and RU. It's only the potential customers for my clients, that prevents it from being blocked too.
I'd block AWS and Hetzner if it wasn't for the various service providers (Hetrix/Uptime/CSF/CWP) that naively use their servers.
Nice, can I ask what firewall this syntax works on? This is much cleaner than using iptables.
I don’t block whole countries, just single IPs when they’re annoying, and the whole /24 if multiple IPs in that range are annoying and do not really have a legitimate purpose to connect to the service.
china, russia, ukraine, usa, brasil, indonesia
Googlebot and bing whitelisted.
google cloud, amazon, azure, OVH, DO and a bunch of other ASN's blacklisted also.
I also block non en-* accept-language headers
UK service.
I don't block countries but I RBL most of chinanet which is kind of like blocking China. The ratio of good traffic to bad is far too high into the latter.
I dont want chinese customers.
I not blocking full countries, but I block full IP ranges (usually /24) which make recurring or continuous problems (recurring port and vulnerability scans, WP attacks, etc reported by the used security tools). Most of them looks like a simple malicious network and some of them are a "shady' 'security researcher network" whos believe "they have the right to make security/network scans" without permission from the targets.
Most of this IP ranges from China, Russia, Netherlands, and some of them from USA & Germany. I block them because of the experienced malicious activity, not for political or other reasons.
Yes, obviously not for political reasons, it's just that some countries have negligible amount of genuine traffic it's easier to just block it all.
I never block single IPs nowadays, always a whole /24 block minimum.
Block /48 when mindless idiot trying to circumvent bans on irc.
JaLET butt kicked again and again.
Just config file for a bash script that generates iptables rules.
Surely it would make more sense to use a whitelist if you're blacklisting most of the world? That way you also don't need to add every new country or island that becomes independent.
Depends on the objective. IP lists are never 100% accurate and sometimes it is preferable to get false-negatives (allowing some range that shouldn't be) than false-positives (blocking some range that shouldn't be). The config gives the option to flip if the number of rules is less.
I'd assume that you'd have a lot of false positives either way when blocking most countries by Geo IP data. Guessing you either don't host anything that reaches a wide audience, or you serve via a CDN like CloudFlare so it doesn't matter.
When using Cloudflare, you're supposed to block everything except their official IP ranges. If you're not doing it, that kinda defeats the purpose.
https://www.cloudflare.com/ips/
When using CloudFlare, your web server should be configured to only respond to requests from CloudFlare, and the IP used should never be associated with anything related to the hosted site in the first place. That's different to blocking all access to the IP on a machine or network level.
What does that mean exactly? Cloudflare's requests don't really have any characteristics that cannot be trivially spoofed. Spoofing TCP source address is out of reach for most people.
Filtering by source IP is fine. I just meant you only need to restrict the web server to the CloudFlare source IP range, not the entire network interface. The restriction is primarily to prevent spiders and other scanners from discovering the undisclosed IP of the server and leaking it.
Even better, you could have no web server listening on a public IP and create an outbound Argo tunnel to CloudFlare.
any example on blocking digitalocean ips?
I don't block my country, I block based on traffic.. Number of honeypots and blacklists though.
The biggest problem I had with country blocklists is every now, especially obscure Linux packages, are hosted there..
Most of my blocklists are done at the network edge. Individual servers may have different blocklists, but I primarily deal with the network itself.
SSH bots I just ignore.. Trying to brute-force the login, I don't really care.. They are not getting in.. Simply turning off SSH password authentication stopped most of them anyways.. SSH connection will ask for a username but disconnects before showing the password prompt.. They move on pretty quickly, the annoying systems are ones without the 'PasswordAuthentication no' option though.