Jump to content

IP Block List


BlueWyvern
 Share

Recommended Posts

Hi Guys, I am having an issue with SSH Brute Forcers and have been now auto blocking anywhere between 14 and 22 IPs a day. Is there any pre-compiled list of known country offenders I notice the majority of these are China and a few are Russia, but I don't check every IP.

Am I stuck either paying for a service or creating the list myself?

Thanks!

Link to comment
Share on other sites

sadly the situation requires port 22 and will not allow me to use a username other than admin without the ability to switch to key pairs at all. Synology Time Backup to an Offsite Unit. I do have a stupidly strong password on it that would take quite some time to brute force, but still it's annoying seeing so many attempts every day.

Link to comment
Share on other sites

There are public and paid for databases of country IP blocks, but they change often which means constantly updating your list as well, so it becomes a cat and mouse game, and blocking countries will just make them move to proxies or other country IP's from nodes they've compromised. If they really want in, they'll keep hammering it if its sitting on the net and. Especially if its known the username is admin only(I guess someone must know its a "Synology Time Backup" and thats the default or hardcoded username??), its just a matter of time before the password is hammered out if you can't change the username as well.

https://www.google.com/search?num=50&newwindow=1&q=country+IP+block+lists&oq=country+IP+block+lists&gs_l=serp.3..0.477164.477164.0.477784.1.1.0.0.0.0.130.130.0j1.1.0....0...1c.1.35.serp..0.1.129.bVV9eRX054U

If you can't change it to key pairs like mentioned above(and port changing really just delays the attack since a banner grab via an nmap or other scanning tool will return an SSH version no matter what port its on if its listening on the internet) can you instead create a whitelist of nodes you want allowed vs trying to block each one individually? Not 100% effective, but might help cut down on the attacks. If you can set rules to block an IP, hopefully you can set a rule or ACL to only accept specific IP's which might work better for you until you figure out a better solution, like moving it behind another zone/nat'd device and only accessible over a VPN.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...