←back to thread

Ban me at the IP level if you don't like me

(boston.conman.org)
597 points classichasclass | 8 comments | 25 Aug 25 04:23 UTC | HN request time: 1.023s | source | bottom
Show context
lwansbrough ◴[25 Aug 25 05:55 UTC] No.45010657[source]
We solved a lot of our problems by blocking all Chinese ASNs. Admittedly, not the friendliest solution, but there were so many issues originating from Chinese clients that it was easier to just ban the entire country.

It's not like we can capitalize on commerce in China anyway, so I think it's a fairly pragmatic approach.

replies(6): >>45010748 #>>45010787 #>>45010871 #>>45011590 #>>45011656 #>>45011732 #
snickerbockers ◴[25 Aug 25 08:40 UTC] No.45011656[source]
Lmao I came here to post this. My personal server was making constant hdd grinding noises before I banned the entire nation of China. I only use this server for jellyfin and datahoarding so this was all just logs constantly rolling over from failed ssh auth attempts (PSA: always use public-key, don't allow root, and don't use really obvious usernames like "webadmin" or <literally just the domain>).
replies(3): >>45011723 #>>45011753 #>>45012709 #
1. Xiol32 ◴[25 Aug 25 08:50 UTC] No.45011723[source]
Changing the SSH port also helps cut down the noise, as part of a layered strategy.
replies(2): >>45011829 #>>45011841 #
2. dotancohen ◴[25 Aug 25 09:06 UTC] No.45011829[source]
Are you familiar with port knocking? My servers will only open port 22, or some other port, after two specific ports have been knocked on in order. It completely eliminates the log files getting clogged.
replies(1): >>45013771 #
3. azthecx ◴[25 Aug 25 09:08 UTC] No.45011841[source]
Did you really notice a significant drop off in connection attempts? I tried this some years ago and after a few hours on a random very high port number I was already seeing connections.
replies(2): >>45013660 #>>45019777 #
4. Bender ◴[25 Aug 25 13:31 UTC] No.45013660[source]
I use a non standard port and have not had an unknown IP hit it in over 25 years. It's not a security feature for me, I use that to avoid noise.

My public SFTP servers are still on port 22 and but block a lot of SSH bots by giving them a long "versionaddendum" /etc/ssh/sshd_config as most of them choke on it. Mine is 720 characters long. Older SSH clients also choke on this so test it first if going this route. Some botters will go out of their way to block me instead so their bots don't hang. One will still see the bots in their logs, but there will be far less messages and far fewer attempts to log in as they will be broken, sticky and confused. Be sure to add offensive words in versionaddendum for the sites that log SSH banners and display them on their web pages like shodan.io.

5. davsti4 ◴[25 Aug 25 13:44 UTC] No.45013771[source]
I've used that solution in the past. What happens when the bots start port knocking?
replies(2): >>45014040 #>>45014541 #
6. GuinansEyebrows ◴[25 Aug 25 14:09 UTC] No.45014040{3}[source]
Fail2ban :)
7. dotancohen ◴[25 Aug 25 14:53 UTC] No.45014541{3}[source]
The bots have been port scanning me for decades. They just don't know which two ports to hit to open 22 for their IP address. Simply iterating won't get then there, and fail2ban doesn't afford them much opportunity to probe.
8. nullc ◴[25 Aug 25 22:16 UTC] No.45019777[source]
In my experience can cut out the vast majority of ssh connection attempts by just blocking a couple IPs. ... particularly if you've already disabled password auth because some of the smarter bots notice that and stop trying.