hngopher.com

       [HN Gopher] Analyzing the attacks on my website
       ___________________________________________________________________
        
       Analyzing the attacks on my website
        
       Author : JeremyMorgan
       Score  : 16 points
       Date   : 2020-02-08 21:39 UTC (1 hours ago)
        
 (HTM) web link (dev.to)
 (TXT) w3m dump (dev.to)
        
       | bdcravens wrote:
       | Blindly blocking IP addresses seems like a bad idea; how many are
       | DHCP'ed residential addresses with a short lease?
        
         | tpetry wrote:
         | Isn't this the concept of the fail2ban software used on almost
         | every linux server?
        
           | detaro wrote:
           | fail2ban is typically set to block IPs for a limited amount
           | of time only (and not really used on "almost every" linux
           | server)
        
           | yokaze wrote:
           | With a essential difference, the ban is time limited.
        
         | m-p-3 wrote:
         | I have some personal services that I frankly don't expect or
         | want many outsiders, and it's extremely unlikely they'd come
         | from China so I just blacklist a chunk of IPs.
        
       | yokaze wrote:
       | So, a couple of random people are trying standard passwords. That
       | should be a complete non-issue, if your system is correctly
       | configured. Now you want to stop the users and your response is
       | to block "their" IP completely. Which turned the non-issue into
       | self-made denial of service "attack". As those ips are not bound
       | to users and "they" will potentially come from the whole ip space
       | script-kiddies can come from.
        
       | ringzero wrote:
       | You may have accidentally reinvented
       | https://en.wikipedia.org/wiki/Fail2ban :)
        
       | testomono wrote:
       | maybe you should simple add whitelist nftables ssh port 22 you
       | ips
        
       | david_draco wrote:
       | I would bet that these attacks are coming through Tor, and the
       | country distribution is just the distribution of Tor exit nodes.
        
       | kjaftaedi wrote:
       | That's so interesting. I built literally the exact same thing the
       | other weekend.
       | 
       | I took all of the data and fed it into a database, then built a
       | web interface so I could see the data better.
       | 
       | It's looking like this:
       | 
       | https://i.imgur.com/8G9GAUp.png
       | 
       | Lots more activity from France than I would have expected
       | compared to other countries. Also lots more people using Amazon's
       | infrastructure to scan the internet than I would have imagined.
       | 
       | Other than that it's about what you'd expect.
       | 
       | So far I don't find this to be overly practical because with the
       | amount of IP addresses in the filter, the firewall takes forever
       | to reload. (firewalld)
        
         | _wldu wrote:
         | You can use ipset to block them. It's hash based and efficient.
         | 
         | http://ipset.netfilter.org/
         | 
         | http://mikhailian.mova.org/node/194
        
       ___________________________________________________________________
       (page generated 2020-02-08 23:00 UTC)