ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Suddenly hit from lots of different places today.

    Scheduled Pinned Locked Moved IT Discussion
    securityhackbrute forceattack
    34 Posts 10 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • travisdh1T
      travisdh1
      last edited by

      8:45AM 31.8.66.206 User:demo
      8:45AM 46.33.250.164 User:demo

      Looking like Ukraine and Russia for the most part.

      1 Reply Last reply Reply Quote 1
      • DustinB3403D
        DustinB3403
        last edited by

        So is it time to geo-restrict access?

        travisdh1T 1 Reply Last reply Reply Quote 0
        • travisdh1T
          travisdh1 @DustinB3403
          last edited by

          @DustinB3403 said in Suddenly hit from lots of different places today.:

          So is it time to geo-restrict access?

          If I had a good way to get that done, yes. That alone would have cut this down to 1 or 2 instead of a new one every time Thunderbird does a refresh.

          Is there a list of IP addresses for different regions somewhere? I'm kinda busy playing whack a mole at the moment to go look myself 😞

          1 Reply Last reply Reply Quote 0
          • DustinB3403D
            DustinB3403
            last edited by

            What firewall are you using?

            travisdh1T 1 Reply Last reply Reply Quote 0
            • travisdh1T
              travisdh1 @DustinB3403
              last edited by

              @DustinB3403 said in Suddenly hit from lots of different places today.:

              What firewall are you using?

              iptables (still CentOS6 base.) Tho cPanel was included with it, so I have other management options... one guess which way I prefer to manage it 😉

              1 Reply Last reply Reply Quote 0
              • DustinB3403D
                DustinB3403
                last edited by DustinB3403

                Here is what you'll want to do.

                And here will outline the reject functions.

                travisdh1T 1 Reply Last reply Reply Quote 0
                • DustinB3403D
                  DustinB3403
                  last edited by

                  Here is yet another topic on this process as well.

                  1 Reply Last reply Reply Quote 0
                  • travisdh1T
                    travisdh1 @DustinB3403
                    last edited by

                    @DustinB3403 said in Suddenly hit from lots of different places today.:

                    Here is what you'll want to do.

                    And here will outline the reject functions.

                    Looks like I need to install ipset on CentOS6, and I should be able to block by country then, yay!

                    1 Reply Last reply Reply Quote 0
                    • Mike DavisM
                      Mike Davis
                      last edited by

                      Is there really much of a point geo blocking when it's usually hacked bots that are hammering on our servers?

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Mike Davis
                        last edited by

                        @Mike-Davis said in Suddenly hit from lots of different places today.:

                        Is there really much of a point geo blocking when it's usually hacked bots that are hammering on our servers?

                        And when geo-detection is so poor. Nearly everything that I do in Texas shows up as Ontario, Canada. Literally everything that I use identifies me as being in Canada.

                        MattSpellerM 1 Reply Last reply Reply Quote 1
                        • DashrenderD
                          Dashrender
                          last edited by

                          The splintering of IPv4 space has definitely wreaked havoc on geo assessing.

                          1 Reply Last reply Reply Quote 1
                          • RojoLocoR
                            RojoLoco
                            last edited by

                            In Soviet Russia, IP address blocks you!

                            travisdh1T 1 Reply Last reply Reply Quote 5
                            • MattSpellerM
                              MattSpeller @scottalanmiller
                              last edited by

                              @scottalanmiller said in Suddenly hit from lots of different places today.:

                              @Mike-Davis said in Suddenly hit from lots of different places today.:

                              Is there really much of a point geo blocking when it's usually hacked bots that are hammering on our servers?

                              And when geo-detection is so poor. Nearly everything that I do in Texas shows up as Ontario, Canada. Literally everything that I use identifies me as being in Canada.

                              That's fucked up - I always get Michigan!

                              1 Reply Last reply Reply Quote 0
                              • travisdh1T
                                travisdh1 @RojoLoco
                                last edited by

                                @RojoLoco said in Suddenly hit from lots of different places today.:

                                In Soviet Russia, IP address blocks you!

                                How'd you know it's the Russians?

                                travisdh1T RojoLocoR 2 Replies Last reply Reply Quote 0
                                • travisdh1T
                                  travisdh1 @travisdh1
                                  last edited by

                                  @travisdh1 said in Suddenly hit from lots of different places today.:

                                  @RojoLoco said in Suddenly hit from lots of different places today.:

                                  In Soviet Russia, IP address blocks you!

                                  How'd you know it's the Russians?

                                  Who just happened to start at 8:21AM EST...... cluestick anybody?

                                  1 Reply Last reply Reply Quote 0
                                  • AmbarishrhA
                                    Ambarishrh
                                    last edited by Ambarishrh

                                    We use ConfigServer Firewall/ CSF on all our servers (CentOS7 now, previously was on CentOS6)

                                    Its a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. It is based on IP tables and very well block a decent level of attacks. Our CSF logs regularly blocks (first temporarily for some time and then if attack/invalid connection attempt continues then permenant block) and we get notified.

                                    Few details from an email i received today! 🙂

                                    109.111.112.178 (AD/Andorra/mx2.andorsoft.ad) blocked for port scanning
                                    Time: Wed Nov 9 20:56:53 2016 +0400
                                    IP: 109.111.112.178 (AD/Andorra/mx2.andorsoft.ad)
                                    Hits: 11
                                    Blocked: Temporary Block

                                    22.117.160.65 (TW/Taiwan/122-117-160-65.HINET-IP.hinet.net) blocked for port scanning
                                    Time: Wed Nov 9 18:53:12 2016 +0400
                                    IP: 122.117.160.65 (TW/Taiwan/122-117-160-65.HINET-IP.hinet.net)
                                    Hits: 11
                                    Blocked: Permanent Block

                                    CSF has also option to block the entire country, however they warn that using country-level filtering will negatively impact performance and you will notice slower response times on your websites. This is due to the sheer size of the CIDR range lists (the list for the U.S. is 621K in plain text and contains more than 37,000 entries) and the fact that the firewall must check each incoming IP address against the chosen list(s).

                                    Another feature i really like is the option to perform a basic security, stability and settings. A sample screenshot of a server check. Green ones are ok the the pink ones to be fixed.

                                    XyqiBmx.png

                                    On the latest version it even has an option to send scheduled reports on this security check as new versions could have more checks.

                                    travisdh1T 1 Reply Last reply Reply Quote 0
                                    • RojoLocoR
                                      RojoLoco @travisdh1
                                      last edited by

                                      @travisdh1 said in Suddenly hit from lots of different places today.:

                                      @RojoLoco said in Suddenly hit from lots of different places today.:

                                      In Soviet Russia, IP address blocks you!

                                      How'd you know it's the Russians?

                                      Because you said

                                      @travisdh1 said in Suddenly hit from lots of different places today.:

                                      8:45AM 31.8.66.206 User:demo
                                      8:45AM 46.33.250.164 User:demo

                                      Looking like Ukraine and Russia for the most part.

                                      Plus that joke wouldn't work if the attackers were in Alsace-Lorraine or Burkina Faso.

                                      1 Reply Last reply Reply Quote 1
                                      • travisdh1T
                                        travisdh1 @Ambarishrh
                                        last edited by

                                        @Ambarishrh I saw that, doesn't really give me anything beyond what cPHulk is doing already. Might have to try it on some local systems tho.

                                        AmbarishrhA 1 Reply Last reply Reply Quote 0
                                        • dafyreD
                                          dafyre
                                          last edited by

                                          I'd just K-Line the whole /16 subnet and be done with it and see if that slows it down.

                                          MattSpellerM travisdh1T 2 Replies Last reply Reply Quote 1
                                          • MattSpellerM
                                            MattSpeller @dafyre
                                            last edited by

                                            @dafyre said in Suddenly hit from lots of different places today.:

                                            I'd just K-Line

                                            I suspect that you may be unaware of the meaning that phrase has elsewhere lol

                                            dafyreD 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post