New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Need advice on blocking countries with iptables
Legendlink
Member
in Help
So I woke up to this today...
Thankfully Wordfence was blocking the IP automatically for trying to log in with a user that doesn't exist.
It's still going on. I know I've seen someone here say to block entire countries with ipset. I tried a few guides on the internet that used a script to import the ip ranges to block, but those didn't work. Instead I did this. I was just curious is this just as effective? Is there anything else I need to do? Is there a more effective solution?
Comments
I don't understand why people block entire countries (exceptions apply).
Plenty of abuse comes from the US and I guess you aren't going to block their entire IP space?
i block many countries that i dont need them to access my webs. only in some servers of course.
for example TN,RU,PL,VN,SK,GE,BG,RO,HU,UA,IL,CN,TR,KG,IN,ID,KZ,AZ,TW
fail access, and blocked ips in firewall get reduced in 80%
Russia, top hackers!
@Nyr that is a fair point but no one from the US has tried to log in as admin 1500+ times and my personal blogs target audience isn't exactly Russia.
100% of the traffic I get from .CN is people trying to hack in.
100% of the traffic I get from .RU is people trying to hack in.
Lather, rinse, repeat.
Maybe you guys are running very localized services, I don't know...
I certainly wouldn't risk blocking legitimate visitors. Specially since I don't care about bruteforce bots anyway, they aren't going to obtain anything.
And then, I could always block individual IPs/subnets or even ASNs and not entire countries.
But well, just my point of view.
is wordfence keeping track of all ip-s it blocks? your db will grow to an insane amount, lol.
just make an admin with 30 char username and 64 char password on keepassx. good luck bruteforcing that.
also you can try ip restrict the login/xmlrpc files, I tried it with nginx and apache, but messed things up
good read: http://www.lowendtalk.com/discussion/27172/securing-your-server-using-ipset-and-dynamic-blocklists
IP restrict /wp-login.php and /wp-admin and/or just toss a htaccess basic auth login form in front of it. Done deal.
Why dont those Russian hackers use western vpns or proxies for their requests (not advising that they do this lol)
For those of us who prefer nginx: https://www.digitalocean.com/community/tutorials/how-to-set-up-http-authentication-with-nginx-on-ubuntu-12-10
Yeah, that's fair. If I was running some kind of global service or a forum, that would be different.
Thanks @Traffic I will do that as I don't have a static IP to only allow mine to access wp-admin.
@GM2015 it was blocking them for 1 day but now they are blocked using the method I linked to in the OP.
htaccess auth/http auth - same shit, figured someone would understand what I meant. Basically just stop bots from finding wp-login.php or /wp-admin/* and they'll give up.
Sure thing. I meant that's how to achieve it on nginx.
On all WordPress sites I manage I have wp-login.php rate-limited. I don't track the rate-limiting by IP, I just limit. The number of registered users for each site is small (on my sites I don't allow guests/visitors to register; only people who need to post, etc.) so keeping the rate-limit that restricted is not a huge concern. The advantage to the rate-limiting is that eventually the attacker is cut off completely; the PHP interpreter never gets invoked and Nginx being the champ it is deflects the brunt of the assault.
On one WordPress site the admin insisted on having an incredibly weak password because he, "Didn't care and it doesn't matter," I actually disabled password authentication altogether and instead wrote a plugin to authenticate with client certificates.
Pic related
@Legendlink Can I get a list of those malicious IPs via PM?
I imagine they're server IPs that are trying to brute force your login.
You can block bad ASNs via https://enjen.net/asn-blocklist/
Maybe cuz they have no money?
If you want to block http only, use nginx https://www.howtoforge.com/nginx-how-to-block-visitors-by-country-with-the-geoip-module-debian-ubuntu I can tell you this is very effective, because nginx can serve thousands of 403 pages in one second.
Or you could use fail2ban on your linux box and forget about blocking entire countries.
http://www.fail2ban.org/wiki/index.php/Main_Page
Exactly. And just set "bantime = 500000" which blocks them for most of the week. That way your iptables doesn't collect too much cruft.
fail2ban + ipset + modules/plugins to protect login pages & block spammy comments, etc FTW
kudos. I use the same method plus whitelist only access, when practical, for web based admin panel access.
Blocking whole countries may work in practice for the intended purpose. But it just doesn't seem like the right way to go on principle.
Imo it's faster to use "route add -net 8.8.8.0(/24) gw 127.0.0.1 lo" to stop communications than iptables when you have a large number of subnets or ip's.