[ale] Ouch, dang it.

lollipopman691 lollipopman691 at pm.me
Tue Jun 3 11:21:49 EDT 2025 

Useful! Thanks man. I've gotten it down to around 2 a minute, which is supportable. I'm going to analyze the logs I have a little further and maybe add some more blocks.

-- CHS




On Monday, June 2nd, 2025 at 3:47 PM, Bob Toxen via Ale <ale at ale.org> wrote:

> 
> 
> You can browse the following to get a list of IPs from any country:
> 
> http://www.ip2location.com/blockvisitorsbycountry.aspx
> 
> I just tried it and China had over 8000 entries. There are lots
> of /24 and /23 that you probably could compress down to /16 and not
> care about blocking a few extra.
> 
> The most common countries (from memory) that bad actors come from are:
> 
> China
> Russia
> Romania
> Ukraine
> Other Eastern European countries
> S Korea
> Brasil
> 
> Also, I find a lot of attacks from MIT's 23.0.0.0/8. Just saying.
> 
> There is a high correlation with countries having lots of smart people
> who have poor economies.
> 
> Best regards,
> Bob Toxen, Retired from CTO
> Horizon Network Security
> 
> Author,
> "Real World Linux Security: Intrusion Detection, Prevention, and Recovery"
> 2nd Ed., Prentice Hall, 848 pages, ISBN: 9780130464569.
> Also available in Japanese, Chinese, Czech, and Polish.
> 
> On Fri, May 30, 2025 at 11:18:56AM -0700, Alex Carver via Ale wrote:
> 
> > I love ipset. It's hard to beat the ease of use and the quick update
> > capability. I have one ipset list that handles one-off events where I can
> > rapidly dump a single, troublesome IP inside so I can deal with stuff later.
> > Otherwise I just start blocking whole subnets.
> > 
> > The largest set which is entirely CIDRs greater than /24 on one server is:
> > 
> > Total lines in blocklist: 79779
> > Total IPv4s blocked: 789,568,787
> > 
> > And that's IPs blocked after this non-overlapping set in the main firewall
> > which is primarily /16 or larger:
> > 
> > Total lines in blocklist: 5451
> > Total IPv4s blocked: 353,610,636
> > 
> > (I don't bother with IPv6 because I don't have it enabled.)
> > 
> > Blocking huge chunks of the network cuts traffic down dramatically
> > especially as bots give up and instruct other bots not to bother. I don't
> > think I've truly lost any functionality, at least not that I've noticed over
> > many years of making ever larger block lists.
> > 
> > On 2025-05-29 19:23, dj-Pfulio via Ale wrote:
> > 
> > > Ipset easily handles huge numbers of ips or subnets. My servers run older OSes, so I'm unsure how nft works with IPset.
> > > 
> > > I have one system that blocks over 130,000 subnets using ipset. It uses a single firewall rule for all those blocked subnets. Quite a few are /8 for simplicity.
> > > 
> > > On May 29, 2025 9:09:37 PM EDT, Ron via Ale ale at ale.org wrote:
> > > 
> > > > Jim Kinney via Ale wrote on 2025-05-29 17:11:
> > > > 
> > > > > Add a rule to send problem IP to a different internal port that has
> > > > > a VERY slow page load that is a redirect notice to DHS.
> > > > 
> > > > I don't think that'll work, since:
> > > > 
> > > > lollipopman691 via Ale wrote on 2025-05-29 15:31:
> > > > 
> > > > > My last TWiki log has requests from about 70,000 ip addresses for
> > > > > that one TWiki page.
> > > > > That's a lot of IP addresses. A virtual DDoS.
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > https://mail.ale.org/mailman/listinfo/ale
> > > > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > > > http://mail.ale.org/mailman/listinfo
> > > 
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > https://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> > 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > https://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list