Subj : IP Block Lists To : Warpslide From : deon Date : Sun Mar 20 2022 09:44:50 Re: IP Block Lists By: Warpslide to All on Fri Mar 18 2022 10:22 pm Howdy, > I have a web server accessible to the public, which as expected was getting hammered with various bots & script kiddies. > > I've setup an IP blocklist for the usual suspects, but I was noticing a lot of malicious traffic from California, Germany, The > Netherlands & the UK as well. > > Not wanting to block those countries out entirely I decided to dig a little deeper and noticed that many of these addresses had one > thing in common: They're coming from Digital Ocean. Yeah, I've always thought that "country" blocking would never last (just like "unknown caller blocking on your phone", or even now answering calls with a caller id) - spammers get around it as quickly as we decide to implement it. For the same resason, blocking "Digital Ocean" wont last - they'll find another low cost VPS platform to invest in. One thing that I do (with web anyway), is to block "ip address" connections - so http://1.2.3.4 (if 1.2.3.4 was my ip address) would return 444. You have to use my proper domain name to get the web server to respond to it. While this has been working well, it obviously doesnt stop spammers trying - but they do need to have a current url list (instead of programming their bots to try all IP addresses). If I need to, my next step (and I've been thinking about it) would be to see if haproxy can help. With it, you can limit concurrent connections from the same source (which in theory would reduce denial impacts). You could also probably use haproxy to redirect "unwanted addresses" to a honeypot and let them waste their time there. Ultimately, you cannt stop it - nor would you want to, as it would be hard to determine who is real or not - and probably the only affective way would be some sort of "entry captcha". ....лоеп --- SBBSecho 3.15-Linux * Origin: I'm playing with ANSI+videotex - wanna play too? (1337:2/101) .