Suddenly hit from lots of different places today.
-
Our web server seems to have become a target this morning. Every single one of them is trying to hit ftpd. While pure-ftpd service does respond on port 21, nothing is actually allowed to connect or do anything through ftp (simple honeypot.)
8:21AM 77.222.103.190 User:test
8:25AM 94.240.247.136 User:test@domain
8:30AM 176.41.208.200 User:admin
8:35AM 179.218.83.197 User:test
8:48AM 37.21.253.162 User:testMy notifications only fire off after 7 authentication failures, so this is a lot in a short amount of time.
No such thing as coincidence, and I had been down to only getting one of these a week. Worldwide hacking attempts on our tiny little corner of the net. Don't know weather this is helpful for anyone else or not, but figured it can't hurt to get it out as part of the public record. Meanwhile, apparently I get to play whack a mole today.
-
8:45AM 31.8.66.206 User:demo
8:45AM 46.33.250.164 User:demoLooking like Ukraine and Russia for the most part.
-
So is it time to geo-restrict access?
-
@DustinB3403 said in Suddenly hit from lots of different places today.:
So is it time to geo-restrict access?
If I had a good way to get that done, yes. That alone would have cut this down to 1 or 2 instead of a new one every time Thunderbird does a refresh.
Is there a list of IP addresses for different regions somewhere? I'm kinda busy playing whack a mole at the moment to go look myself
-
What firewall are you using?
-
@DustinB3403 said in Suddenly hit from lots of different places today.:
What firewall are you using?
iptables (still CentOS6 base.) Tho cPanel was included with it, so I have other management options... one guess which way I prefer to manage it
-
-
-
@DustinB3403 said in Suddenly hit from lots of different places today.:
Looks like I need to install ipset on CentOS6, and I should be able to block by country then, yay!
-
Is there really much of a point geo blocking when it's usually hacked bots that are hammering on our servers?
-
@Mike-Davis said in Suddenly hit from lots of different places today.:
Is there really much of a point geo blocking when it's usually hacked bots that are hammering on our servers?
And when geo-detection is so poor. Nearly everything that I do in Texas shows up as Ontario, Canada. Literally everything that I use identifies me as being in Canada.
-
The splintering of IPv4 space has definitely wreaked havoc on geo assessing.
-
In Soviet Russia, IP address blocks you!
-
@scottalanmiller said in Suddenly hit from lots of different places today.:
@Mike-Davis said in Suddenly hit from lots of different places today.:
Is there really much of a point geo blocking when it's usually hacked bots that are hammering on our servers?
And when geo-detection is so poor. Nearly everything that I do in Texas shows up as Ontario, Canada. Literally everything that I use identifies me as being in Canada.
That's fucked up - I always get Michigan!
-
@RojoLoco said in Suddenly hit from lots of different places today.:
In Soviet Russia, IP address blocks you!
How'd you know it's the Russians?
-
@travisdh1 said in Suddenly hit from lots of different places today.:
@RojoLoco said in Suddenly hit from lots of different places today.:
In Soviet Russia, IP address blocks you!
How'd you know it's the Russians?
Who just happened to start at 8:21AM EST...... cluestick anybody?
-
We use ConfigServer Firewall/ CSF on all our servers (CentOS7 now, previously was on CentOS6)
Its a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. It is based on IP tables and very well block a decent level of attacks. Our CSF logs regularly blocks (first temporarily for some time and then if attack/invalid connection attempt continues then permenant block) and we get notified.
Few details from an email i received today!
109.111.112.178 (AD/Andorra/mx2.andorsoft.ad) blocked for port scanning
Time: Wed Nov 9 20:56:53 2016 +0400
IP: 109.111.112.178 (AD/Andorra/mx2.andorsoft.ad)
Hits: 11
Blocked: Temporary Block22.117.160.65 (TW/Taiwan/122-117-160-65.HINET-IP.hinet.net) blocked for port scanning
Time: Wed Nov 9 18:53:12 2016 +0400
IP: 122.117.160.65 (TW/Taiwan/122-117-160-65.HINET-IP.hinet.net)
Hits: 11
Blocked: Permanent BlockCSF has also option to block the entire country, however they warn that using country-level filtering will negatively impact performance and you will notice slower response times on your websites. This is due to the sheer size of the CIDR range lists (the list for the U.S. is 621K in plain text and contains more than 37,000 entries) and the fact that the firewall must check each incoming IP address against the chosen list(s).
Another feature i really like is the option to perform a basic security, stability and settings. A sample screenshot of a server check. Green ones are ok the the pink ones to be fixed.
https://i.imgur.com/XyqiBmx.png
On the latest version it even has an option to send scheduled reports on this security check as new versions could have more checks.
-
@travisdh1 said in Suddenly hit from lots of different places today.:
@RojoLoco said in Suddenly hit from lots of different places today.:
In Soviet Russia, IP address blocks you!
How'd you know it's the Russians?
Because you said
@travisdh1 said in Suddenly hit from lots of different places today.:
8:45AM 31.8.66.206 User:demo
8:45AM 46.33.250.164 User:demoLooking like Ukraine and Russia for the most part.
Plus that joke wouldn't work if the attackers were in Alsace-Lorraine or Burkina Faso.
-
@Ambarishrh I saw that, doesn't really give me anything beyond what cPHulk is doing already. Might have to try it on some local systems tho.
-
I'd just K-Line the whole /16 subnet and be done with it and see if that slows it down.