The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How To Block 10k IP Addresses

Discussion in 'Security' started by Sash, Nov 2, 2009.

  1. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Does anyone know the best way to block 10k IP addresses?

    We understand that iptables and hosts.deny will cause too many problems blocking 10k ip addresses.

    Thanks,
    Mike
     
  2. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    Can you add any of those up to subnet blocks? A /24 or /8 here and there would help cut down that list drastically. My own list is about 3.5k long and I load them all in a simple for loop like this:

    for ip in `cat /root/black-list`; do iptables -I INPUT -s $ip -j DROP; done

    it will take some time to run, but it works.

    Thanks!
     
  3. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    If a software firewall (iptables) does not satisfy the performance requirements, you may want to consider a dedicated hardware firewall; I would check with your data center for available dedicated hardware firewall solutions.
     
  4. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    I could try to trim the list into smaller subnets.

    At 3.5k entries do you have any performance issues?

    Thanks,
    Mike
     
    #4 Sash, Nov 2, 2009
    Last edited: Nov 2, 2009
  5. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    This is on my little atom router box at home. I run even more on my little atom cPanel server. Never misses a beat. Just slow at boot time.
     
  6. sirdopes

    sirdopes Well-Known Member
    PartnerNOC

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Route

    Another option is to use route to reject ips.

    route add 1.1.1.1 reject

    This adds the ip to the routing table and blocks it. I have had 15K+ ips with no problem using this method.
     
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Why in the world would you want to block that many individual IPs?

    You would have to be insane to do that for performance and memory consumption reasons among others!

    As cPanelEricE pointed out, you can probably reduce the list greatly by using proper CIDR notation.

    Also, if your intent is to block countries, there is much better and far simpler ways to deal with that than just blocking huge IP lists. One that comes to mind immediately is installing GEOIP from Maxmind and then you can just simply block traffic to your site or server by a single country or continent code (For example CN for "China") instead of dealing with long (often outdated) IP range lists.

    Another would be to setup a DNS based RBL blacklist database and run IP checks against the RBL!
     
    #7 Spiral, Nov 20, 2009
    Last edited: Nov 20, 2009
  8. stugster

    stugster Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Edinburgh, UK
    cPanel Access Level:
    Root Administrator
    Just thinking out loud here, but DDoS?
     
  9. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Setting a firewall to try to block IPs from a dDOS attack is futile, and mostly pointless for the most part!

    News Flash: 95% of all logged dDoS attack IP address are not actually real!

    In fact, the vast majority of IPs that you would try to block aren't even actually being used to attack you whatsoever and are more often than not perfectly innocent 3rd parties who may even be the actual real target!

    By masquerading IPs and a little creative packet header manipulation, a hacker could easily make you think that any server on the planet is attacking you and your server will happily log the wrong IP! In fact, the real goal of the hacker might even be to trick you into placing a block or ban someone else! Even more points scored if they can trick you into wrongfully reporting a bogus IP the the upstream as a hacking source! The same technique can be used to trick you into limiting access to your own server or internet networks! (extremely common these days)

    There are much,better and far more effective ways to handle dDoS attacks ---

    As a rule, I never put any solid faith in the IPs that any regular logs show, and in fact that most often tells me exactly which IPs not to block!

    The good news and the flip side of the coin is that it's actually fairly trivial to distinguish legitimate packets from altered packets so the vast majority of dDoS traffic can often be blocked by packet composition instead of by packet origin (which may not even be that reliable in the first place).

    Unfortunately many "security administrators" out there remain, technically speaking, often far behind the skill levels or knowledge of the hackers out there, ignorant of knowledge that might be helpful in being more effective in fighting these situations! Each and every day, I see so many administrators take on activities such as racing to block IPs in a dDoS attack simply because they just simply know no any other way to handle the situation!
     
    #9 Spiral, Dec 2, 2009
    Last edited: Dec 2, 2009
  10. BareckObama

    BareckObama Active Member

    Joined:
    Jun 5, 2009
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    In the heart of obama.
    Would you mind sharing with us on how you would filter the legitimate from the illegitimate traffic.
     
Loading...

Share This Page