Thread Info
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 10796 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you all blacklist IPs? I have 50K+

Tech Support8

Currently have blacklisted 50,000+ IP address in my Sophos XG210. I am running 16.05.XX. I started this in March and was blacklisting approx. 15K a month until August when I got busy. I am about to add 30+ more IP address and I want to get the opinion of other Sophos users first.

The IP addresses I am blacklisting are IP addresses that are trying to hit the login page of my WordPress site. I pull the IP address from the Sophos reports that try and request:

"/wp-login.php".

 

I have 50+ IP Lists in the Sophos with exactly 1,000 IP addresses in them. So far I have not seen a performance degradation. In order to blacklist these, I have a "DNAT/Full NAT/Load Balancing" rule that is set to Source Zone=WAN, Allowed Network Clients=All of the IP address list objects, forwarded to a fake IP range I made up and a Fake zone. The rule is at the top. So they are just dropped before they go anywhere else.

 

I just created a ticket with Sophos, asking them what is the limit on IP addresses in a single list and what is the limit to number of objects the Sophos can handle, however I don't see them answer quickly nor do I see them answering with due diligence and actually giving me the answers I want.

 

Any thoughts?

 



This thread was automatically locked due to age.
Parents

  • Rather than blacklisting at the firewall, have you thought about using a tool like Fail2Ban (assuming Wordpress is running on a Linux machine) that will inspect the Apache Logs and can update iptables on the host itself to block the requests?  Script kiddies and bot scripts that try and exploit sites like this generally hop IP addresses often so your effort to block IP's on a long term basis is fairly futile and a waste of your time.

Reply

  • Rather than blacklisting at the firewall, have you thought about using a tool like Fail2Ban (assuming Wordpress is running on a Linux machine) that will inspect the Apache Logs and can update iptables on the host itself to block the requests?  Script kiddies and bot scripts that try and exploit sites like this generally hop IP addresses often so your effort to block IP's on a long term basis is fairly futile and a waste of your time.

Children
  • in reply to Matt Zuba

    I like the fact that blacklisting them at the firewall blocks them from my entire organization, I would rather block the traffic as soon as possible.

    It has not been a waste of time actually. It is hard to find much that is a waste of time when it comes to security, you can never be too careful or too secure. There has been a massive drop in traffic to our servers since I started blacklisting IPs. For example, it reduces the amount of traffic to the real servers. This improves bandwidth and decreases needless log growth. On average I spend about 30 minutes a month getting my list updated, so it barely takes any time compared to the benefit. One of my thoughts is to rotate after 6 months or a year the oldest set of IP addresses for the newest. This is of course depending of what I find out as regards to whether the XG can handle more IP address then what I gave it.

     

    Another thing to note is that I have yet to block a good IP. I am sure one will come along sooner than later, a re-used cloud IP now in good hands or a kid in the basement's mother needs normal access. Until then though, I am fine with blacklisting anything that looks malicious. I however just want to know if there are more streamlined methods. Maybe an automatic method, such as, as soon as the Sophos sees an IP address try the WP login then it adds it to a list. I wonder if XG 17 has anything like this. For just WP Login URL alone, there were over 560 unique IP addresses in the last 24 hours. That number is a bit higher than usual because I haven't blacklisted anything in a couple of months.

     

    Also WP login is just one of many URL hits I deem malicious. We have other sites than have admin sides to them that are accessible internally only, well supposed to be.

     

    Does anyone know if you can update address objects/IP lists via API?