How do you all blacklist IPs? I have 50K+

Hi,

we need more details.

Is your worpress site advertised on the www? If so where do expect your clients to originate from?

Ian

Without giving too much details:

-It is advertised, but not heavily, but our customers mainly know about it.

-I expect my clients to originate from USA 99.9% of the time, arguably 100%.

However customers/clients may need to sign in from foreign countries so I can't exactly geo-block.

Also there are a lot of USA IPs trying to hit my WP login page so geo-blocking wouldn't get rid of all malicious activity

-Anyone trying to get to the WP login is not acting in good nature so I don't mind blocking them entirely from our network 

Rather than blacklisting at the firewall, have you thought about using a tool like Fail2Ban (assuming Wordpress is running on a Linux machine) that will inspect the Apache Logs and can update iptables on the host itself to block the requests?  Script kiddies and bot scripts that try and exploit sites like this generally hop IP addresses often so your effort to block IP's on a long term basis is fairly futile and a waste of your time.

I like the fact that blacklisting them at the firewall blocks them from my entire organization, I would rather block the traffic as soon as possible.

It has not been a waste of time actually. It is hard to find much that is a waste of time when it comes to security, you can never be too careful or too secure. There has been a massive drop in traffic to our servers since I started blacklisting IPs. For example, it reduces the amount of traffic to the real servers. This improves bandwidth and decreases needless log growth. On average I spend about 30 minutes a month getting my list updated, so it barely takes any time compared to the benefit. One of my thoughts is to rotate after 6 months or a year the oldest set of IP addresses for the newest. This is of course depending of what I find out as regards to whether the XG can handle more IP address then what I gave it.

Another thing to note is that I have yet to block a good IP. I am sure one will come along sooner than later, a re-used cloud IP now in good hands or a kid in the basement's mother needs normal access. Until then though, I am fine with blacklisting anything that looks malicious. I however just want to know if there are more streamlined methods. Maybe an automatic method, such as, as soon as the Sophos sees an IP address try the WP login then it adds it to a list. I wonder if XG 17 has anything like this. For just WP Login URL alone, there were over 560 unique IP addresses in the last 24 hours. That number is a bit higher than usual because I haven't blacklisted anything in a couple of months.

Also WP login is just one of many URL hits I deem malicious. We have other sites than have admin sides to them that are accessible internally only, well supposed to be.

Does anyone know if you can update address objects/IP lists via API?

I can't directly answer the question but if you have noticed any patterns in the geographic origins of malicious visitors you may want to leverage country / region based blocking in the xg if you are not already if that won't negatively impact your objectives or business.  Along the same lines you may also find that the 50,000 reduces to a much smaller number of cidr address blocks.