Block host/domain, flooding from clients.your-server.de

Operating System & Version
Linux
cPanel & WHM Version
104.0.6

lordcatalien

Member
Jul 20, 2022
5
4
3
New York, NY
cPanel Access Level
Website Owner
I'm getting a bunch of new accounts on my web site all coming from various IPs, but they all seem to be from the host: static.[backwards ip].clients.your-server.de:

```
IP: 5.161.116.121, Host: static.121.116.161.5.clients.your-server.de
IP: 5.161.134.81, Host: static.81.134.161.5.clients.your-server.de
IP: 5.161.115.177, Host: static.177.115.161.5.clients.your-server.de
IP: 5.161.101.189, Host: static.189.101.161.5.clients.your-server.de
IP: 5.161.111.82, Host: static.82.111.161.5.clients.your-server.de
IP: 162.55.8.158, Host: static.158.8.55.162.clients.your-server.de
P: 157.90.216.113, Host: static.113.216.90.157.clients.your-server.de
```

It seems they own a bunch of different IP addresses, but they all are using the host ending with "your-server.de".

Is there a way for me to easily block all access to my server through CPanel for anyone with this host?
 

lordcatalien

Member
Jul 20, 2022
5
4
3
New York, NY
cPanel Access Level
Website Owner
Thanks for your reply. I *do* have customers and clients all over the world, so I was hoping for a better solution. Perhaps there's a way to find all the IPs that your-server.de leases and block them for the time-being? It may be a temporary solution if they change IPs, but hoping for something that's effective in the short-term.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,497
1,968
363
cPanel Access Level
Root Administrator
I'm not sure if there's going to be a great way to get an accurate list. Maybe the "host" command like this:

Code:
# host cpanel.net
cpanel.net has address 208.74.123.84
cpanel.net has address 208.74.121.151
or just blocking the ones that you already see in full in the logs.
 

ejsolutions

Well-Known Member
Jan 6, 2013
77
32
68
cPanel Access Level
Root Administrator
I passed on info, in another thread, on how to leverage CSF to block by ASN, amongst other lists.
Here's your starter based on one of your supplied IPs:
^ The reverse ASN lookup for the IP that I tried doesn't appear to correlate.. trying a few more to see what ASN comes back. You may be more successful in getting a list for that hacker service provider.

Looks like they may be a user/reseller of Hetzner, which doesn't surprise me in the slightest!
 
Last edited:
  • Like
Reactions: cPRex

lordcatalien

Member
Jul 20, 2022
5
4
3
New York, NY
cPanel Access Level
Website Owner
Wow, that's definitely going to be helpful. I guess, when I have a moment, I should try doing the reverse ASN lookups on all the IPs to see which correlate. This may take a while. Or, perhaps, I can block them all and if I get support tickets, go back through and whitelist the ones they mention. Either way, thank you for your time and guidance.
 

ejsolutions

Well-Known Member
Jan 6, 2013
77
32
68
cPanel Access Level
Root Administrator
Note that further down that referenced thread (post #8), you may spot that I've blocked at least some of Hetzner, in the past. ;) Like a few other hosting providers, it's about time they cleaned up their act, especially as some explicitly disapprove of port scanning, if not blatant login spamming, in their ToS.
 
  • Like
Reactions: lordcatalien