This is going to take a little explaining, but I'll do my best and I hope you stick with me.
I am somewhat new to this and turned on the "Send notification when brute force user is detected" option and started seeing lots of failed attempts.
The first question I have is; how big a deal is number of failed attempts? Should I be blacklisting them or not?
***************
On the assumption I should I went all out and blacklisted all ranges:
1.0.0.0/8
through
254.0.0.0/8
(excluding the range my IP was in, ie if my IP is 123.123.123.123 I left the 123.0.0.0/8 range out of the black list).
Then whitelisted my own static public IP of 123.123.123.123
So 99% of the failed attempt notifications went away and I started to get the occasional hit from things like 123.1.x.x etc etc so started blacklisting the smaller CIDR ranges of 123.1.0.0/16 as they popped up.
So I ended up with about 250 odd entries in the blacklist.
But... That's all well and good when I'm in the office with a static IP, but not so useful when I'm on the road with my mobile internet connection in a different dynamic range.
So I've managed to track down a somewhat accurate listing of the IP pools that my ISP uses for the mobile connections. The plan was to remove these from the black list (but not add them to the white list). That way I get notified if they are used but I'm not specifically white listing them....
With me so far??
If the pool of potential IP's are a series of /16 ranges and I want to tighten the blacklist I could add back in the bits out of the range.
ie if the carriers range if 123.1.0.0/16 I could then add
123.2.0.0/16
through
123.254.0.0/16
to the blacklist.
So I've put together this list and I now have a shade over 2,200 entries for the black list. Is this too many things to put into the black list?
tl;dr
How many items is too many in the blacklist?
I am somewhat new to this and turned on the "Send notification when brute force user is detected" option and started seeing lots of failed attempts.
The first question I have is; how big a deal is number of failed attempts? Should I be blacklisting them or not?
***************
On the assumption I should I went all out and blacklisted all ranges:
1.0.0.0/8
through
254.0.0.0/8
(excluding the range my IP was in, ie if my IP is 123.123.123.123 I left the 123.0.0.0/8 range out of the black list).
Then whitelisted my own static public IP of 123.123.123.123
So 99% of the failed attempt notifications went away and I started to get the occasional hit from things like 123.1.x.x etc etc so started blacklisting the smaller CIDR ranges of 123.1.0.0/16 as they popped up.
So I ended up with about 250 odd entries in the blacklist.
But... That's all well and good when I'm in the office with a static IP, but not so useful when I'm on the road with my mobile internet connection in a different dynamic range.
So I've managed to track down a somewhat accurate listing of the IP pools that my ISP uses for the mobile connections. The plan was to remove these from the black list (but not add them to the white list). That way I get notified if they are used but I'm not specifically white listing them....
With me so far??
If the pool of potential IP's are a series of /16 ranges and I want to tighten the blacklist I could add back in the bits out of the range.
ie if the carriers range if 123.1.0.0/16 I could then add
123.2.0.0/16
through
123.254.0.0/16
to the blacklist.
So I've put together this list and I now have a shade over 2,200 entries for the black list. Is this too many things to put into the black list?
tl;dr
How many items is too many in the blacklist?
