hngopher.com

       [HN Gopher] Block web scanners with ipset and iptables
       ___________________________________________________________________
        
       Block web scanners with ipset and iptables
        
       Author : yabones
       Score  : 29 points
       Date   : 2022-11-10 20:40 UTC (2 hours ago)
        
 (HTM) web link (nbailey.ca)
 (TXT) w3m dump (nbailey.ca)
        
       | creeble wrote:
       | I understand the first part -- sending requests with no host
       | header to a spam log (or even better, don't log).
       | 
       | What I don't understand is the second part -- blocking those
       | hosts. Seems pointless now that you've de-noised your logs.
       | They're still sending packets. Saves thousands of bytes on
       | outbound?
       | 
       | What about all the scan-spam on sites WITH host headers? Whatevs.
        
         | yabones wrote:
         | Serves a few purposes, but as you said the main objective is
         | already done by de-noising. The other reason I do this is
         | because it's easy to detect that kind of scanning in HTTP logs,
         | but not as easy for other services (ssh, ftp, smtpd, etc)
         | without something like fail2ban, and the blanket ban applies to
         | all of them. So, if a bot scans your HTTP server enough times,
         | they can't go after "softer" targets later.
         | 
         | For scan-spam that does hit your "real" site, it's a bit more
         | tricky as there absolutely will be false positives. You can
         | grep for all 401/403's and add them to the list, but that will
         | sooner or later hit a real user. So it's much more specific to
         | the application you're hosting, where this works for just about
         | any site. The other nice thing is that even when they scan your
         | "real" site, they'll often hit the default host via IP scans at
         | the same time, so you can still manage to ban them.
         | 
         | It's not perfect, but it's good enough :)
        
           | dpifke wrote:
           | Running your own mail server is a _great_ source of data to
           | identify botnet-compromised hosts.
           | 
           | When I started banning IPs that send "HELO <myhostname>" for
           | 24 hours, I cut the number of fake login/registration
           | attempts on a bunch of my web-based projects by ~50%.
           | 
           | It works the other way, too. Temporary bans on hosts that try
           | to access /wp-admin (I don't run Wordpress anywhere) cut my
           | email spam significantly.
           | 
           | (Some day, I'll get around to implementing a real reputation
           | tracking system, with exponential ban lengths.)
        
             | bombcar wrote:
             | This is an important aspect of it - you can use information
             | on one angle of attack to protect other devices.
             | 
             | Do note that doing this kind of thing can block people on
             | Tor, because Tor is used for attacks quite often, also.
        
       | holoduke wrote:
       | Why not using the way easier to configure i(f)tables? It's so
       | much more straightforward and flexible.
        
       | hoppla wrote:
       | Another neat trick is to add a link in robots.txt and instruct
       | bots to stay away. If they don't, you add them to your blocklist
        
         | justin_oaks wrote:
         | I was confused at what you were saying at first. For those that
         | may also be confused:
         | 
         | You can add something like this to your robots.txt:
         | User-agent: *         Disallow: /some/unguessible/url
         | 
         | And then you ban any IPs/bots that visit that URL.
        
       | wooptoo wrote:
       | Actually you don't need to respond to bogus http clients at all:
       | https://gist.github.com/radupotop/2aef0bdc0ccbd3a706044e3598...
        
       | justin_oaks wrote:
       | I wonder why the author uses a 404 error response. I usually
       | configure NGINX with "return 444;" which closes the connection
       | without response. Scanners don't deserve a response. I may have
       | wasted bytes receiving the request, but I won't waste any more
       | once I know the request is garbage.
        
         | yabones wrote:
         | That was mostly just for the blog post. In reality my default
         | vhost 301's back to the IP that sent the request. I doubt it
         | ever does anything, but I like to think it makes hackers attack
         | themselves in the confusion :p
         | 
         | I also have a fake /admin path that just contains a bunch of
         | offensive/illegal phrases in 10 ish languages, but it was out
         | of character for the post.
         | 
         | 444 is a good idea though, I didn't know about that response
         | code!
        
       | alyandon wrote:
       | On my internet facing hosts, I use the firehol level 2 and level
       | 3 block sets along with blocking all CN IP space that I can
       | accurately identify. My logs are eerily quiet.
        
       | thrwawy74 wrote:
       | https://wiki.nftables.org/wiki-nftables/index.php/Moving_fro...
        
       ___________________________________________________________________
       (page generated 2022-11-10 23:00 UTC)