0

I want to automatically block IP that scanning my server (detected with portsentry) where several website are.

I don't know which level to choose to ban ip ranges. / 24, / 16 other? From what level is there a risk of false positives (legitimate traffic blocked)?

Example : this IP try an attack : 100.100.100.100, if I block 100.100.100.0/24 or 100.100.0.0/16 is it risky? What is the most appropriate level?

user2267379
  • 205
  • 2
  • 8
  • first you need to define what legitimate traffic is. Is it a port or an IP range that you need to block? Is the IP known to be a "malicious" one? A simple VPN will allow any attacker to just change their IP – Mixone Jan 14 '20 at 09:56
  • 1
    @Mixone I want to automatically block IP that scanning my server (detected with portsentry) where several website are. you think subnet using is not a good idea because legitimate traffic can be blocked? – user2267379 Jan 14 '20 at 10:00

2 Answers2

1

Even blocking a single IP address can block lots of legitimate traffic. There have been times when an entire country shared a single IP address. As late as 2009, blocking 82.148.97.69 would have blocked thousands of people (though not all of Qatar as is sometimes reported).

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • You think using a tool like portsentry or fail2ban that blocks unique ip poses a great risk of blocking legitimate traffic? – user2267379 Jan 14 '20 at 10:11
  • My main visitors are in France, blocking Qatar doesn't matter to me. – user2267379 Jan 14 '20 at 10:12
  • 1
    @user2267379 The question doesn't really ask about a "great risk" but about a "a risk". I would say it depends what you're blocking. If it's the SSH port on a server, there is almost no risk. If it's the login scheme for a public-facing service, IP bans are unwise unless there are really no other options. – David Schwartz Jan 14 '20 at 10:13
  • 1
    Theye days - carrier grade NAT and the fact that a lot of endpoints shall not be reached (mobile devices) and the iSP's love putting those behind NAT - means yes, even a single IP is more and more likely to block also legitimate users. Remember, we are OUT of ip addresses, so providers resort to NAT to save addresses, too. – TomTom Jan 14 '20 at 10:13
  • ok I trust you. I thought at the beginning that the hackers did not use the same VPN as the public. – user2267379 Jan 14 '20 at 10:21
1

If you're just looking to stop the offender you will usually do fine to ban the immediate IP block. I wouldn't go much further than that.

For example imagine I am being attacked by Vodaphone Australia

  • I know the IP address is 202.142.xxx.yyy
  • I go to this helpful site https://mxtoolbox.com/asn.aspx and type in the IP
  • It tells me that I need to block 202.142.136.0/21 (2046 hosts)

Ultimately, it is up to you to decide how severe the attack is vs the amount of potential legitimate traffic you might lose. We can't help with that.

Edit If you want to do it programatically whois has you covered:

# Stackoverflow
whois 199.115.115.119 | grep -o "inetnum:.*"

# inetnum:      199.0.0.0 - 199.255.255.255
Matt
  • 181
  • 4