The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Some bind atttack - how to block this huge IP range automatically?

Discussion in 'Security' started by postcd, Sep 10, 2014.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    Please how can i block these excessive bind accesses from this big ip range?
    i mean i dont want manual IP ban, i want this to be handled by CSF automatically, so i want o ask you for kind advice on how to do it so such connections have low or no impact (iptables ban)?

    Code:
    Sep 10 13:12:45 host1 lfd[21510]: bind triggered by 74.125.74.17 - ignored
    Sep 10 13:12:45 host1 lfd[21510]: bind triggered by 74.125.74.83 - ignored
    Sep 10 13:12:45 host1 lfd[21510]: bind triggered by 74.125.46.84 - ignored
    Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.146 - ignored
    Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.148 - ignored
    Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.81 - ignored
    Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.17 - ignored
    Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.80 - ignored
    Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.82 - ignored
    Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.83 - ignored
    Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.144 - ignored
    Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.148 - ignored
    Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.146 - ignored
    Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.46.80 - ignored
    Sep 10 13:12:50 host1 lfd[21510]: bind triggered by 74.125.74.19 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.16 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.46.80 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.19 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.19 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.46.80 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.84 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.147 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.19 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.84 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.18 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.74.18 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.46.81 - ignored
    Sep 10 13:12:55 host1 lfd[21510]: bind triggered by 74.125.46.84 - ignored
    Sep 10 13:13:00 host1 lfd[21510]: bind triggered by 74.125.74.146 - ignored
    Sep 10 13:13:00 host1 lfd[21510]: bind triggered by 74.125.74.148 - ignored
    Sep 10 13:13:05 host1 lfd[21510]: bind triggered by 74.125.46.83 - ignored
    Sep 10 13:13:10 host1 lfd[21510]: bind triggered by 74.125.46.84 - ignored
    Sep 10 13:13:10 host1 lfd[21510]: bind triggered by 74.125.73.17 - ignored
    Sep 10 13:13:10 host1 lfd[21510]: bind triggered by 74.125.73.18 - ignored
    Sep 10 13:13:10 host1 lfd[21510]: bind triggered by 74.125.47.18 - ignored
    Sep 10 13:13:10 host1 lfd[21510]: bind triggered by 74.125.73.21 - ignored
    Sep 10 13:13:20 host1 lfd[21510]: bind triggered by 74.125.74.144 - ignored
    Sep 10 13:13:20 host1 lfd[21510]: bind triggered by 74.125.74.144 - ignored
    Sep 10 13:13:25 host1 lfd[21510]: bind triggered by 74.125.74.18 - ignored
    Sep 10 13:13:25 host1 lfd[21510]: bind triggered by 74.125.74.82 - ignored
    Sep 10 13:13:30 host1 lfd[21510]: bind triggered by 74.125.74.18 - ignored
    Sep 10 13:13:30 host1 lfd[21510]: bind triggered by 74.125.74.81 - ignored
    Sep 10 13:13:30 host1 lfd[21510]: bind triggered by 74.125.74.81 - ignored
    Sep 10 13:13:30 host1 lfd[21510]: bind triggered by 74.125.74.83 - ignored
    Sep 10 13:13:40 host1 lfd[21510]: bind triggered by 74.125.74.146 - ignored
    Sep 10 13:13:40 host1 lfd[21510]: bind triggered by 74.125.46.82 - ignored
    Sep 10 13:13:40 host1 lfd[21510]: bind triggered by 74.125.74.19 - ignored
    Sep 10 13:13:40 host1 lfd[21510]: bind triggered by 74.125.74.19 - ignored
    Sep 10 13:13:40 host1 lfd[21510]: bind triggered by 74.125.47.18 - ignored
    Sep 10 13:13:40 host1 lfd[21510]: bind triggered by 74.125.73.83 - ignored
    Sep 10 13:13:45 host1 lfd[21510]: bind triggered by 74.125.73.147 - ignored
    Sep 10 13:13:45 host1 lfd[21510]: bind triggered by 74.125.73.82 - ignored
    Sep 10 13:13:50 host1 lfd[21510]: bind triggered by 74.125.74.144 - ignored
    i see its a gogle IP..
     
    #1 postcd, Sep 10, 2014
    Last edited: Sep 10, 2014
  2. durangod

    durangod Well-Known Member

    Joined:
    May 12, 2012
    Messages:
    251
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    74.125.0.0/16 will block all from 74.125.

    you also might consider adjusting your cPHulk settings security center ->cPHulk Brute Force Protection you want it to be flexible enough to deal with honest mistakes but hard enough that if they are idiots it says bye bye baby...
     
    #2 durangod, Sep 10, 2014
    Last edited: Sep 10, 2014
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I would not recommend blocking google's IP ranges. Their engineers are extremely smart and if anything malicious is going on with their network I assure you they'll find and fix it.

    Keep in mind DNS is a UDP protocol and source IPs can be spoofed. This is how DNS amplification attacks work; queries come in with a spoofed source IP, and your server sends the "response" to someone who never asked for it to begin with.

    Just make sure DNS recursion is off in your named config. If this is not causing load on your server I wouldn't worry about it.

    I recommend reviewing this section of your CSF config. I do not use it, so mine is disabled as shown below:

    Code:
    # [*]Enable detection of repeated BIND denied requests
    # This option should be enabled with care as it will prevent blocked IPs from
    # resolving any domains on the server. You might want to set the trigger value
    # reasonably high to avoid this
    # Example: LF_BIND = "100"
    LF_BIND = "0"
    LF_BIND_PERM = "1"
    
     
    #3 quizknows, Sep 10, 2014
    Last edited: Sep 10, 2014
  4. durangod

    durangod Well-Known Member

    Joined:
    May 12, 2012
    Messages:
    251
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    good deal quiz +1 i didnt even look up the ip lol... i was just answering the range question syntax is all.. but thats great you shared that as well :)
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    As mentioned by quizknows, it's likely not an issue that needs to be addressed if you are not experiencing any additional load on your system and DNS recursion is disabled.

    Thank you.
     
Loading...

Share This Page