[ale] Ok Phew..
DJPfulio at jdpfu.com
DJPfulio at jdpfu.com
Sat Sep 27 12:15:55 EDT 2025
I just block all *.php requests and put that IP into a gulag (like a mud pit) until I can add their entire subnet to a blocklist for all traffic.
Currently blocking over 10000 subnets. A few are /8. Some are /24 and all sizes in between. Unlike other places, I don't remove once-bad subnets from my list after they attack. Screw them. That in addition to DNS level blocks based purely on reverse DNS lookups, but I don't update the by-country tables all that often.
Just this morning, blocked NFOrce Entertainment from The Netherlands due to excessive hack attempts.
Long ago, I blocked MSFT corporate and Azure subnets after repeated attacks. Every 5 yrs or so, MSFT has new IPs that need to be blocked. Initially, I was a bit shocked that MSFT Corporate wouldn't know about their abusive outbound traffic, but got over that pretty quickly.
Lots of places from Reston VA got blocked too. I have no illusion they wouldn't fly right passed my firewalls if they were really that interested.
A few VPS companies take aggressive actions to clean up the bad people on their subnets, when reported. Vultr took care of the issue in about 12 hours and reported back to me what they'd done. I think my timing was lucky. Same for Digital Ocean. Of course, it is even better when the VPS has proactive steps and seems to prevent any outbound malicious traffic ... well - traffic that I consider malicious. Don't think I've ever blocked anything from Linode, for example.
On 9/22/25 14:36, lollipopman691 via Ale wrote:
> Aright, I've installed mod_evasive ( https://github.com/jzdziarski/
> mod_evasive ) and ufw ( https://en.wikipedia.org/wiki/
> Uncomplicated_Firewall ) to deal with yet another horrific storm of
> nonsense hits on https://tomshiro.org . Looks like mod_evasive is
> kinda working, anyways. We shall see what happens next. So far, I
> am at fifteen blocked /16 addresses. They appear to be from China,
> Vietnam, Korea, or ( the latest! ) Tajikistan, at least according to
> https://www.iplocation.net/ip-lookup .
>
> The address which mod_evasive Blacklisted appears to be from USA,
> Virginia. Looks like an attaque tho. Here's a chunk of my log:
>
> ------------------ tomshiro.org:80 40.85.188.6 - - [22/
> Sep/2025:14:13:13 -0400] "GET /aa.php HTTP/1.1" 301 521 "-" "-"
> tomshiro.org:443 40.85.188.6 - - [22/Sep/2025:14:13:14 -0400] "GET /
> aa.php HTTP/1.1" 404 2785 "-" "-" tomshiro.org:80 40.85.188.6 - -
> [22/Sep/2025:14:13:14 -0400] "GET /abcd.php HTTP/1.1" 301 525 "-"
> "-" tomshiro.org:443 40.85.188.6 - - [22/Sep/2025:14:13:14 -0400]
> "GET /abcd.php HTTP/1.1" 404 465 "-" "-" tomshiro.org:80 40.85.188.6
> - - [22/Sep/2025:14:13:14 -0400] "GET /about.php HTTP/1.1" 301 527
> "-" "-" tomshiro.org:443 40.85.188.6 - - [22/Sep/2025:14:13:14
> -0400] "GET /about.php HTTP/1.1" 404 465 "-" "-" tomshiro.org:80
> 40.85.188.6 - - [22/Sep/2025:14:13:14 -0400] "GET /admin.php
> HTTP/1.1" 301 527 "-" "-" tomshiro.org:443 40.85.188.6 - - [22/
> Sep/2025:14:13:14 -0400] "GET /admin.php HTTP/1.1" 404 465 "-" "-"
> tomshiro.org:80 40.85.188.6 - - [22/Sep/2025:14:13:14 -0400] "GET /
> adminfuns.php HTTP/1.1" 301 535 "-" "-" ------------------
>
> A legit client (even a robot) would have a bunch of stuff after the
> first "-" specifying what it was, as:
More information about the Ale
mailing list