Blocking traffic from China

Davor

New Member
Hi,

I'm considering blocking some ports (mostly email/ftp) and just leave 80 to China as I receive most of failed logins from there. 3-5 blocks per day

Is this a 'good practice', or its better to block all traffic (all my websites doesn't have interested in that market).

Any other tips or setups you are using on your vps?
thanks
 

Gimpy

Member
I've been considering this as well. Most spammers I get nowadays are Chinese. I guess with all the cheap labor, they can pay someone to try to get past the anti-spam measures. New members can't post links so they get zapped before they can spam but I'd rather not even bother with them.

http://www.parkansky.com/china.htm
 

Dave G

Member
Good Day

To block traffic form China trying to login to my VPS what I did was created a CIDR from here https://www.countryipblocks.net/country_selection.php , copied the IP's listed in the box and pasted it into the Home >> Security Center >> cPHulk Brute Force Protection >> Black List.

Not sure if this is what your looking for but it works nice for me.

Dave G
 

Davor

New Member
Thank you both,

At this moments its not critical, but I would like to do something. I get spammers from europe too, but they are very small numbered compared to china ip's.

I think Dave's option is useful and can form part of the process of protection.
 

KH-Mathew

Systems Administration
Staff member
Hi,
The cPHulk feature is pretty good, but it does not make blocks in iptables, it only manages access to a service. This makes it, in my opinion, not very powerful. I prefer using methods that are inclusive to all services. IE: If you get blocked for trying to brute a cPanel login I don't want you on my website either. cPHulk also stores its data in mysql which to me makes it far too likely to become corrupt. If your server is being attacked by a flood of bots causing mysql to crash while the table is open then it is likely that the table will be marked as crashed and the data not available.
CSF actually has a feature that allows you to block IP addresses based on country code, however it is utterly useless for a VPS. The reason for this is that the massive number of iptables rules that are placed cause iptables/CSF to crash. I have a script that matches IP's found in domlogs against those in stopforumspam.com's RBL and have noticed iptables starting to throw errors at around 7k blocks. The error that I see in this instance is something like "iptables: Too many levels of sybolic links". KH-Jonathan told me before that blocking by CC would not work and cause iptables to crash before I tried that, but of course I had to test it for myself. On a server with 2.5G of RAM and 4 2GHz processors CSF started crashing after about 1 hour. Chksrvd never could get CSF back up. Removing the CC block immediately solved the issue. Those were the results of my test. Seems like the default of 100 max deny rules in CSF is there for good reason.
While I understand the alarm caused when seeing all of the alerts generated by CSF (especially the high number that are concentrated from one region) the fact that you are getting those alerts means that the firewall is doing its job. Even with a large number of ip's to burn through the amount of time that it would take to brute force a strong password when getting blocked on every fifth try is way up there. For basic site traffic there are other ways of handling this. Here is my short list of proactive steps that you can take:

1. Use CloudFlare. Targets for bot networks are normally found using techniques that rely on DNS (Google dorking and such). CloudFlare blocks much of this traffic at
the DNS level for you.

2. Of course use good access control in your coding. Using rewrite rules, allow/deny directives etc. Redirecting or denying traffic that should not access a script such as
wp-login will go a long way in saving resources if you are swarmed by a bot net. If you only use wp-login for administrating a site and don't have customers logging in
through it then it should be locked down to only the admin's address on the webserver level using .htaccess.

3. Use modsec if access control is especially important to you. While this does add another layer of complexity for the administrator it may be worth it to you.The downside is normally accidental blocks and false alarms. Usually things like google bot can cause false alarms and/or get blocked unintentionally. Reading up on
modsec and carefully planning for welcomed bot traffic such as google bot and any bots that may be performing analytics for you is important. There is a free plugin for WHM at http://configserver.com/cp/cmc.html provided by ConfigServer. It integrates with CSF firewall and will create perm blocks based on recurring modesec infractions.

4. Check into CMS plugins that can be used to combat "bad" traffic.

5. Use cPanel's Host Access Control or for terminal junkies go straight to hosts.allow and control access to services there. If you are the only one that should be accessing WHM then don't give anyone the opportunity to even try. http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/DenyAccess.

6. If you don't use it, turn it off. I don't use FTP, so I don't run an FTP daemon. Since I am the only person with sites on my server cPanel accounts don't have shellaccess. I can work as root. Some may call that taking the name of root in vain, but it is my preference. I leaves me with only one ssh account that requires a key.

7. Use shared keys for SSH. Password protect them.

8. Use strong passwords. You would be amazed at how many people use things like "bobby123" as a root password for a VPS with 300 sites on it. That is not an exaggeration. I use http://www.random.org/passwords/ to generate passwords.
 

Davor

New Member
This is very useful Mathew!

I was checking CloudFare already for other things and this extra protection was a plus.
Thank you again!
 

DRE

New Member
As I mentioned in my Paid Request thread on xenforo.com I need bot protection, of which I had been looking at Incapsula's free plan and am wondering if that would be a good idea to use especially since there already is a Xenforo Resource about it. I'm moving my site to a managed VPS because my site has been getting aggressively indexed by Baidu search engine spiders. This indexing by the Chinese search engine is using up the site's resources and bandwidth of which I do not have much of since I am on shared hosting. I'm looking at this: https://www.knownhost.com/managed-ssd-vps-packages.html SSD-2 Plan. Managed VPS w/cPanel. 2GB Guaranteed RAM, 30GB RAID 10 SSD Storage. Debating on whether to go with their Litespeed which is $12 extra or pay a coder to install NGINX Reverse Proxy. Only thing keeping me from buying now is wondering why the coupon codes aren't working. About Cloudflare, I've had so many issues with Cloudflare in the past when I was on Shared Hosting and even 'Semi-Dedicated' that I am not willing to give them another shot, hence Incapsula.
 

KH-Mathew

Systems Administration
Staff member
Hi Dre,

Support can install Nginx as a reverse proxy to Apache for you. While Litespeed is definitely a powerful and fast web server I have seen very good results from nginx. Before throwing software at it make sure that your site is optimized though. This includes using expires headers to force caching. Even if you have to set the expires time very low due to the site being very dynamic and images changing a fairly low expires time can save you some bandwidth if customers are reloading pages, changing to pages that require a full page load but reuse headers/footers etc. Minify all css and Javascript and use a CDN for jQuery when possible. Make sure that if you are displaying an image at 120x120px via css that the actual image size is not 2000x2000. I have seen a site that loaded a 15M index page that was reduced to ~1M after properly resizing images. This will help with bandwidth as well as page loads. We use the the Nginx Admin plugin for cPanel from http://nginxcp.com/.

For regulating bot traffic you can use robots.txt. Any legitimate search engine bots should adhere to this . You can also use mod_security to filter traffic based on many attributes. You can check the referrer and user agent using modsec and block based on this. Referrer and User Agent are not extremely reliable since the client can spoof these but it does offer some mode of protection from the weakest attacks. More in depth use of the modsec regex engine will allow blocks based on matches to sketchy request URI's. Config Server has a modsec plugin for cPanel here http://www.configserver.com/cp/cmc.html . Config Server's plugin ties in with their firewall too so that multiple modsec infractions will trigger a perm block by the firewall. It does take some in depth knowledge of how request URI's are used to exploit scripts and the use of regular expressions to fully leverage the power of modsec, but the base definitions lists are pretty powerful. Just be prepared to need some tweaking to keep from blocking legitimate traffic such as google bot.

As for the coupon codes, email sales@knownhost.com to find out more about that. I know there are some coupons that apply to VPS and Dedicated servers but not SSD.
 
  • Like
Reactions: DRE
Top