[ale] Ouch, dang it.
Bob Toxen
transam at verysecurelinux.com
Mon Jun 2 15:47:11 EDT 2025
You can browse the following to get a list of IPs from any country:
http://www.ip2location.com/blockvisitorsbycountry.aspx
I just tried it and China had over 8000 entries. There are lots
of /24 and /23 that you probably could compress down to /16 and not
care about blocking a few extra.
The most common countries (from memory) that bad actors come from are:
China
Russia
Romania
Ukraine
Other Eastern European countries
S Korea
Brasil
Also, I find a lot of attacks from MIT's 23.0.0.0/8. Just saying.
There is a high correlation with countries having lots of smart people
who have poor economies.
Best regards,
Bob Toxen, Retired from CTO
Horizon Network Security
Author,
"Real World Linux Security: Intrusion Detection, Prevention, and Recovery"
2nd Ed., Prentice Hall, 848 pages, ISBN: 9780130464569.
Also available in Japanese, Chinese, Czech, and Polish.
On Fri, May 30, 2025 at 11:18:56AM -0700, Alex Carver via Ale wrote:
> I love ipset. It's hard to beat the ease of use and the quick update
> capability. I have one ipset list that handles one-off events where I can
> rapidly dump a single, troublesome IP inside so I can deal with stuff later.
> Otherwise I just start blocking whole subnets.
>
> The largest set which is entirely CIDRs greater than /24 on one server is:
>
> Total lines in blocklist: 79779
> Total IPv4s blocked: 789,568,787
>
> And that's IPs blocked after this non-overlapping set in the main firewall
> which is primarily /16 or larger:
>
> Total lines in blocklist: 5451
> Total IPv4s blocked: 353,610,636
>
> (I don't bother with IPv6 because I don't have it enabled.)
>
> Blocking huge chunks of the network cuts traffic down dramatically
> especially as bots give up and instruct other bots not to bother. I don't
> think I've truly lost any functionality, at least not that I've noticed over
> many years of making ever larger block lists.
>
> On 2025-05-29 19:23, dj-Pfulio via Ale wrote:
> > Ipset easily handles huge numbers of ips or subnets. My servers run older OSes, so I'm unsure how nft works with IPset.
> >
> > I have one system that blocks over 130,000 subnets using ipset. It uses a single firewall rule for all those blocked subnets. Quite a few are /8 for simplicity.
> >
> > On May 29, 2025 9:09:37 PM EDT, Ron via Ale <ale at ale.org> wrote:
> > > Jim Kinney via Ale wrote on 2025-05-29 17:11:
> > >
> > > > Add a rule to send problem IP to a different internal port that has
> > > > a VERY slow page load that is a redirect notice to DHS.
> > >
> > > I don't think that'll work, since:
> > >
> > > lollipopman691 via Ale wrote on 2025-05-29 15:31:
> > >
> > > > My last TWiki log has requests from about 70,000 ip addresses for
> > > > that one TWiki page.
> > > That's a *lot* of IP addresses. A virtual DDoS.
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > https://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > https://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
More information about the Ale
mailing list