[HN Gopher] Analyzing the attacks on my website ___________________________________________________________________ Analyzing the attacks on my website Author : JeremyMorgan Score : 16 points Date : 2020-02-08 21:39 UTC (1 hours ago) (HTM) web link (dev.to) (TXT) w3m dump (dev.to) | bdcravens wrote: | Blindly blocking IP addresses seems like a bad idea; how many are | DHCP'ed residential addresses with a short lease? | tpetry wrote: | Isn't this the concept of the fail2ban software used on almost | every linux server? | detaro wrote: | fail2ban is typically set to block IPs for a limited amount | of time only (and not really used on "almost every" linux | server) | yokaze wrote: | With a essential difference, the ban is time limited. | m-p-3 wrote: | I have some personal services that I frankly don't expect or | want many outsiders, and it's extremely unlikely they'd come | from China so I just blacklist a chunk of IPs. | yokaze wrote: | So, a couple of random people are trying standard passwords. That | should be a complete non-issue, if your system is correctly | configured. Now you want to stop the users and your response is | to block "their" IP completely. Which turned the non-issue into | self-made denial of service "attack". As those ips are not bound | to users and "they" will potentially come from the whole ip space | script-kiddies can come from. | ringzero wrote: | You may have accidentally reinvented | https://en.wikipedia.org/wiki/Fail2ban :) | testomono wrote: | maybe you should simple add whitelist nftables ssh port 22 you | ips | david_draco wrote: | I would bet that these attacks are coming through Tor, and the | country distribution is just the distribution of Tor exit nodes. | kjaftaedi wrote: | That's so interesting. I built literally the exact same thing the | other weekend. | | I took all of the data and fed it into a database, then built a | web interface so I could see the data better. | | It's looking like this: | | https://i.imgur.com/8G9GAUp.png | | Lots more activity from France than I would have expected | compared to other countries. Also lots more people using Amazon's | infrastructure to scan the internet than I would have imagined. | | Other than that it's about what you'd expect. | | So far I don't find this to be overly practical because with the | amount of IP addresses in the filter, the firewall takes forever | to reload. (firewalld) | _wldu wrote: | You can use ipset to block them. It's hash based and efficient. | | http://ipset.netfilter.org/ | | http://mikhailian.mova.org/node/194 ___________________________________________________________________ (page generated 2020-02-08 23:00 UTC)