Find solution
How To Find Proxies?

Where to find and how to block blacklisted IPs and proxies?

  • Good day everyone! I'm looking for a way to block incoming requests from blacklisted IPs and proxies (mostly anonymous) to my server. While it's quite obvious how to do it using Apache config the main question is where can I find regularly updated list of such IPs? Is there a "best practice" for doing this? Getting deeper into the reasons for this: my website receives a huge incoming traffic from many different IPs mainly located in US. Almost every request defers one from another and that's why I can't block nor particular IP, nor the range of IPs by subnet. While it is not a true DDoS attack my dedicated server almost goes offline :/ I think that I need something like Fail2Ban and DenyHosts but based not only on password fails but on all incoming traffic.

  • Answer:

    There's an excellent https://help.ubuntu.com/community/MoBlock on your server; it's written for Ubuntu, but the directions can be adapted for any distribution. This is a tool which lets you load arbitrary blocklists and translates them into firewall rules, so your server can discard the traffic quickly and efficiently long before Apache has to bother with it. As for the blocklists themselves, there's the http://blocklistpro.com/faqs/biss-ip-blocklists-faq.html; they're mostly geared towards blocking entities that attempt to monitor peer-to-peer traffic, which they do quite well. They do however have a "Tor / proxy" list which purports to block open proxies and Tor routers, but I can't make any particular claim as to its accuracy or efficacy. I also found a program called http://www.fractalizer.ru/frpost_25/linux-installing-automatic-protection-from-dos-and-ddos-attacks-to-your-server/ which purports to automatically add firewall rules to block high-connection sources, but again, I've never used it myself so I can't tell you how well it works. Finally, apparently iptables has a http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ command that automatically rate-limits incoming connections: sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP This would limit incoming SSH connections to 8 per 60 seconds, and is already built-in.

WASD42 at Server Fault Visit the source

Was this solution helpful to you?

Other answers

There are a number of sites that purport to list "abusive" IPs. I like http://projecthoneypot.org/, as it's free (if you participate in the network), and has reasonably open criteria for what gets you on the list. Otherwise, a Google search for "open proxy blacklist" seems to provide a lengthy set of results; I can't give any specific recommendations, but it's best if you analyse the options for your own needs.

womble

Try ModSecurity: http://www.modsecurity.org/, combined with SSHBlack: http://www.sshblack.com/

Mike Insch

I use http://feeds.dshield.org/block.txt and sometimes if I want to be more aggressive, I use lists available at http://www.wizcrafts.net/blocklists.html

bauer

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.