Some bind atttack - how to block this huge IP range automatically?

postcd

Well-Known Member
Oct 22, 2010
717
19
68
Please how can i block these excessive bind accesses from this big ip range?
i mean i dont want manual IP ban, i want this to be handled by CSF automatically, so i want o ask you for kind advice on how to do it so such connections have low or no impact (iptables ban)?

Code:
Sep 10 13:12:45 host1 lfd[21510]: bind triggered by 74.125.74.17 - ignored
Sep 10 13:12:45 host1 lfd[21510]: bind triggered by 74.125.74.83 - ignored
Sep 10 13:12:45 host1 lfd[21510]: bind triggered by 74.125.46.84 - ignored
Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.146 - ignored
Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.148 - ignored
Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.81 - ignored
Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.17 - ignored
Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.80 - ignored
Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.82 - ignored
Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.83 - ignored
Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.144 - ignored
Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.148 - ignored
Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.146 - ignored
Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.46.80 - ignored
Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.19 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.16 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.46.80 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.19 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.19 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.46.80 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.84 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.147 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.19 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.84 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.18 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.18 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.46.81 - ignored
Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.46.84 - ignored
Sep 10 13:13:00 host1 lfd[21510]: bind triggered by 74.125.74.146 - ignored
Sep 10 13:13:00 host1 lfd[21510]: bind triggered by 74.125.74.148 - ignored
Sep 10 13:13:05 host1 lfd[21510]: bind triggered by 74.125.46.83 - ignored
Sep 10 13:13:10 host1 lfd[21510]: bind triggered by 74.125.46.84 - ignored
Sep 10 13:13:10 host1 lfd[21510]: bind triggered by 74.125.73.17 - ignored
Sep 10 13:13:10 host1 lfd[21510]: bind triggered by 74.125.73.18 - ignored
Sep 10 13:13:10 host1 lfd[21510]: bind triggered by 74.125.47.18 - ignored
Sep 10 13:13:10 host1 lfd[21510]: bind triggered by 74.125.73.21 - ignored
Sep 10 13:13:20 host1 lfd[21510]: bind triggered by 74.125.74.144 - ignored
Sep 10 13:13:20 host1 lfd[21510]: bind triggered by 74.125.74.144 - ignored
Sep 10 13:13:25 host1 lfd[21510]: bind triggered by 74.125.74.18 - ignored
Sep 10 13:13:25 host1 lfd[21510]: bind triggered by 74.125.74.82 - ignored
Sep 10 13:13:30 host1 lfd[21510]: bind triggered by 74.125.74.18 - ignored
Sep 10 13:13:30 host1 lfd[21510]: bind triggered by 74.125.74.81 - ignored
Sep 10 13:13:30 host1 lfd[21510]: bind triggered by 74.125.74.81 - ignored
Sep 10 13:13:30 host1 lfd[21510]: bind triggered by 74.125.74.83 - ignored
Sep 10 13:13:40 host1 lfd[21510]: bind triggered by 74.125.74.146 - ignored
Sep 10 13:13:40 host1 lfd[21510]: bind triggered by 74.125.46.82 - ignored
Sep 10 13:13:40 host1 lfd[21510]: bind triggered by 74.125.74.19 - ignored
Sep 10 13:13:40 host1 lfd[21510]: bind triggered by 74.125.74.19 - ignored
Sep 10 13:13:40 host1 lfd[21510]: bind triggered by 74.125.47.18 - ignored
Sep 10 13:13:40 host1 lfd[21510]: bind triggered by 74.125.73.83 - ignored
Sep 10 13:13:45 host1 lfd[21510]: bind triggered by 74.125.73.147 - ignored
Sep 10 13:13:45 host1 lfd[21510]: bind triggered by 74.125.73.82 - ignored
Sep 10 13:13:50 host1 lfd[21510]: bind triggered by 74.125.74.144 - ignored
i see its a gogle IP..
 
Last edited:

durangod

Well-Known Member
May 12, 2012
504
46
78
cPanel Access Level
Website Owner
74.125.0.0/16 will block all from 74.125.

you also might consider adjusting your cPHulk settings security center ->cPHulk Brute Force Protection you want it to be flexible enough to deal with honest mistakes but hard enough that if they are idiots it says bye bye baby...
 
Last edited:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I would not recommend blocking google's IP ranges. Their engineers are extremely smart and if anything malicious is going on with their network I assure you they'll find and fix it.

Keep in mind DNS is a UDP protocol and source IPs can be spoofed. This is how DNS amplification attacks work; queries come in with a spoofed source IP, and your server sends the "response" to someone who never asked for it to begin with.

Just make sure DNS recursion is off in your named config. If this is not causing load on your server I wouldn't worry about it.

I recommend reviewing this section of your CSF config. I do not use it, so mine is disabled as shown below:

Code:
# [*]Enable detection of repeated BIND denied requests
# This option should be enabled with care as it will prevent blocked IPs from
# resolving any domains on the server. You might want to set the trigger value
# reasonably high to avoid this
# Example: LF_BIND = "100"
LF_BIND = "0"
LF_BIND_PERM = "1"
 
Last edited:

durangod

Well-Known Member
May 12, 2012
504
46
78
cPanel Access Level
Website Owner
good deal quiz +1 i didnt even look up the ip lol... i was just answering the range question syntax is all.. but thats great you shared that as well :)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello :)

As mentioned by quizknows, it's likely not an issue that needs to be addressed if you are not experiencing any additional load on your system and DNS recursion is disabled.

Thank you.