Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 28 replies
  • Answers 2 answers
  • Subscribers 33 subscribers
  • Views 12622 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What's the simplest way to block a Top-Level-Domain (*.ru/* for example )in web protection?

ken9000

What is the simplest way to block all users from visiting a TLD? This seems like a basic functionality but I haven't found a good answer.



This thread was automatically locked due to age.
  • 0 in reply to Michael Dunn

    This definition of "Criminal Activities" doesn't seem to like-up with the advice of using this category for malware domains, etc:

     

    Criminal Activity

    Includes sites for advocating, instructing, or giving advice on performing illegal acts; tips on evading law enforcement; and lock-picking and burglary techniques.

  • 0 in reply to ken9000

    The User Activity called Criminal Activity contains 7 categories.

    One of the categories is also called Criminal Activity.  The description may not be ideal - I know that child porn and other illegal to browse to things are categorized as Criminal Activity.

    The other most important category is Spyware and Malware.  This is where a lot of the bad computer security stuff is.

    Blocking the entire User Activity is what I recommend.

     

    I will not comment on the decision of naming a User Activity the same as a Category.  :)

  • 0 in reply to Michael Dunn

    Understood. Going to add it. Thanks for your input on the forums!

  • 0 in reply to ken9000

    Ugh!  Just went and looked at some of the backend and mapping.  Again, I will not comment on decisions for naming and inclusion.  :)

     

    Consider blocking User Activity Suspicious.  This is a mix of bad stuff (spam) and not bad stuff (advertising).  Maybe look at the categories inside and make a decision.

     

    I would also personally block these:

    Command and Control (if you are using Advanced Threat Protection then this is already blocked.  If you are not then this category takes effect.)

    Spam URLs (also part of the User Activity Suspicious)

    Hacking

  • 0 in reply to rfcat_vk

    I agree, I have seen many sites that should have a domain from a specific country or IP Block from that country that are actually hosted on a cloud platform in a different country.

  • 0 in reply to Badrobot

    I suspect GEOIP blocking makes more sense in blocking incoming connection from certain countries.  Or incoming/outgoing for certain ports (we should block any ssh access from internal to Russia).

     

    For outgoing Web traffic it makes less sense, however I just brought it up for Web as additional thing for a paranoid admin to lock-down.

  • 0 in reply to M8ey

    This is miss leading, the US is the leader because hackers from other countries know they cannot create their links in their own country due to country blocking, essentially this is a product of the country blocking technique used by many admins.  I have a black hole setup, the list started with 1 or 2 IP's a year or so ago, I think it is now at 200, I actually send out a lot of abuse emails to hosting companies, most are pretty good about it and I usually check a few days later from a test setup I have and the link or page is gone. 

    The real issue here is cloud platform or web hosting companies not doing their due diligence when letting users sign up, they just kick out a trial server to anyone with an email, I mean what do they expect, here ya go have a virtual linux server to use for 2 weeks at no cost, no worries you seem like a good person.  I should sign up for one for fun as-

    First Name: Malicious

    Last Name: Hacker

    Company: Your Checking Account

    Phone Number: 666-666-6666

    Email: stole_this_from_someone@ransomeware.com