I want to stop users from country X from accessing my website, I know I can ban people's IPs but I dont know if it is possible to ban certain geographical area and if so, I haven't got a clue about how to do it.
I need to ban IP range and I inserted say ip 12.44.0.0 in the deny_hosts rules, this should ban range from 12.44 but strange is people from that range still be able to access my site, any idea what went wrong?
why a client orders a dedicated server from Russia but then they inform us they have transferred the money from Hong Kong bank Telegraphic transfer, different person?
We really do our best to be reasonable but what is the logic behind that?
I then turned on the brute force protection cPanel provides, and it went down considerably from there. I'm not concerned at all about it (since the passwords are strong), but I would like to know the best way to determine abusive users (of SSH), and the best way to ban them.
Assuming the server does not have APF installed, or any particular control panel...
Getting these emails, several a day telling me that the server is banning its own allocated IP addresses. Can someone explain what on earth it could possibly be doing to ban its own IP's?
From - Thu Dec 20 16:50:47 2007 X-Account-Key: account3 X-UIDL: GmailId116f88c2a1c060ca X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Delivered-To: myemail@gmail.com Received: by 10.90.78.14 with SMTP id a14cs288558agb; Thu, 20 Dec 2007 09:14:04 -0800 (PST) Received: by 10.142.177.7 with SMTP id z7mr183490wfe.47.1198170843836; Thu, 20 Dec 2007 09:14:03 -0800 (PST) Return-Path: <root@host.domain.com.br> Received: from server.domain.com.br (domain.com.br [xxx.xxx64.138]) by mx.google.com with ESMTP id m8si38592roe.1.2007.12.20.09.14.03; Thu, 20 Dec 2007 09:14:03 -0800 (PST) Received-SPF: pass (google.com: domain of root@server.domain.com.br designates xxx.xxx.64.138 as permitted sender) client-ip=xxx.xxx.64.138; Authentication-Results: mx.google.com; spf=pass (google.com: domain of root@server.domain.com.br designates xxx.xxx.64.138 as permitted sender) smtp.mail=root@server.domain.com.br Received: from root by server.domain.com.br with local (Exim 4.68) (envelope-from <root@server.domain.com.br>) id 1J5OyA-0004us-63 for root@server.domain.com.br; Thu, 20 Dec 2007 15:13:39 -0200 To: root@server.domain.com.br Subject: IP addresses banned on Thu Dec 20 15:13:39 BRST 2007 Message-Id: <E1J5OyA-0004us-63@server.domain.com.br> From: root <root@server.domain.com.br> Date: Thu, 20 Dec 2007 15:13:39 -0200 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server.domain.com.br X-AntiAbuse: Original Domain - server.domain.com.br X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - server.domain.com.br
Banned the following ip addresses on Thu Dec 20 15:13:38 BRST 2007
xxx.xxx64.138 with 151 connections
I have centos 4 / cpanel installed with apf / bfd yet the deny host rules for apf does not show the server IP's listed as banned.
my VPS provided didn't enable a lot of modules and that's why I can use a firewall(csf or apf) and dos deflate script
I need a simple script for it.
First,it has to call this: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n then there will be something like: Number : IP address 20 1.2.3.4 40 1.2.3.5 80 1.2.3.6 and then the bash script has to bann IPs with more than 30 connections(In our case: 1.2.3.5 and 1.2.3.6) with this: iptables -A INPUT -s IP_FOR_BLOCK -j DROP
I installed mod_security and the 403security rules on my VPS (Centos 4.1, Release version of WHM).
Several vBulletin files, including the ajax quick editor and some vbulletin.org add-ons are triggering this rule and banning members' IPs in CSF:
# Restrict witch content encodings we accept. # # TODO Most applications support only two encodings for request bodies # because that is all browsers know how to produce. If you are using # automated tools to talk to the application you may be using other # content types and would want to change the list of supported encodings. # # Note though that ModSecurity parses only three content encodings: # application/x-www-form-urlencoded, multipart/form-data request and # text/xml. The protection provided for any other type of encoding is # inferior. # # TODO There are many applications that are not using multipart/form-data # encoding (typically only used for file uploads). This content type # can be disabled if not used. # # NOTE We allow any content type to be specified with GET or HEAD # because some tools incorrectly supply content type information # even when the body is not present. There is a rule further in # the file to prevent GET and HEAD requests to have bodies to we're # safe in that respect. # # NOTE Use of WebDAV requires "text/xml" content type. # # NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports # applications running on the PocketPC and AvantGo platforms use # non-standard content types: # # M-Business iAnywhere application/x-mal-client-data # UltraLite iAnywhere application/octet-stream # SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" "chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content encoding is not allowed by policy',id:'960010',severity:'4'" SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" I don't know how to decipher this rule to know if just removing it is ok, or if it is serving an important purpose. During a couple hour period it was enabled, that rule only seemed to trigger false alarms.
The above was triggered with calls such as [uri "/forums/ajax.php?do=usersearch"] and [uri "/forums/newreply.php?do=postreply&t=11057"]
What I really don't understand is that I have an .htaccess in place to turn off mod_security for the /forums directory:
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> I have also had this rule triggered today when someone tried to access : ...
for over a year now, with iptables. However recently, after upgrading to apache 2.2, the connections in netstat get listed as ipv6. A row can look like this for example:
As you can see, the remote ip address isn't complete, it's cut off, so the script used to sum up connections and insert into iptables isnt doing anything.
I've just finally got fed up with all the people from Israel trying to hack into my servers. Of course they're always auto-banned, but getting several attempts per day emailed to me it gets old...so I banned the entire country.
Anyone else ban entire countries from their servers?
I am very new to web design and have been messing around making mock sites and would like to get some of them live so I can get experience with using host's and get some reviews on my basic designs.
I have just relocated to New Zealand and it seems pretty steep on pricing for hosting companies so can I use hosting companies outside of NZ.
What would be the disadvantages if any?
I am not after anything special like loads of bandwidth or storage.
I had a few sites hacked today. I'm using phpbb (all updates) and, apparently, the only thing they did was to drop the database and replace it with one featuring a single post "advertising" their hacker group. I tried bringing everything back on-line, but they would just attack again and take it down quickly... I'm thinking it's probably just some script kiddies.
They announce themselves as "turkish hackers". Browsing around for their message, I found they attacked quite a few sites. What I was thinking, to help preventing this from happening again, is to ban all visitors from Turkey (none of these sites has a need for them, as they're aimed at a local audience).
Can I do this simply by using "deny from .tr" in htaccess? Or are there any more steps to be taken?
i know that i.e. Hetzner gives you PA Space with your own Netname ("netname:" field) (maybe also own Adress) but they dont allow to change the "country:" field, and it stays "DE"
I would like to have a block of 8/16/32 IPs with own "Netname:" field, and own "Country:" field (or as Countrycode "CN", "HK", "AG", "BS" or "KY")
Could Provide P.O. Boxes in all that countrys if needed.
The Server behind it does not really matter, location should be not Germany and not USA (cant comply with some Laws in this 2 Countrys) - something like 1Ghz CPU, 80Gb HDD, 512Mb Ram is enough - 100Mbit (or 10Mbit Burstable) with ~350Gb Traffic.
I am in the process of setting up a VPN server for a client who lives in a Middle Eastern country.
He will be using the VPN for all his internet surfing, email access, etc. (So the VPN will be his internet gateway. His local ISP connection will only be used to make the VPN connection.)
The majority of his internet surfing through the VPN will be to US websites.
Where is the best place to locate the VPN server? I have two datacenters available to choose from: USA or UK
I have experianced a number of attacks all from a specific country.
I would like to completely block access to all users from that country.
I realize that this is not fool proof because people from that country could still use a proxy.
I also realize that people in that country that are not hackers would not be able to access my web site but for the time being I still want to put this in place.
I use Linux / Cpanel / Apache. I have iptables installed.
Is there any way I can block all access to people from the problem country?
setting up another website which will have hopefully both a uk and us audience. I am looking at going with godaddy as they offer a domain extension I want, which no uk service seems to offer. Is there any disadvantages to this, will it operate slower?
I got a list of IPs from the country i want to block from blockacountry.com and i added them to my .htaccess as I have no access to PF or IP tables firewall.
I am concerned about the server load if I get too many requests from that country to access the webpage, I have been told of a better solution, blocking someone based on the browser language they use, for example for China that is "zh-CN" but I don't know how to implement this and I have not been able to find it through Google, help with this appreciated.
Second thing, anyone knows what happens when someone attempts to access a webpage from a blocked IP? Do they get a "Page not found" or "your IP is blacklisted" message?
If I block by browser language it would be good if the blocking message does not tell the user about this
(Notice that I am aware that blocking by browser language is not a perfect solution).
This might be a very broad question, but do they split up IP Address Groups for each region in countries? I know my country is quite small and all, but I was interested to know if IP addresses can be tracked for regions, more specifically in other countries.
I have a personal web site and am developing an online business that I hope will grow(of course) and am wondering if anyone could give me advice about using an overseas web host.
I am wondering if the extra distance bewteen customer and web host will cause a significant lagtime when they are using my website.
Apache version > i don't know (i am a godaddy user) Apache platform > unix
I try to make a change to my current htaccess for now my url looks like> sitename.com/en/filename.ext..I want to get to have an address resembling this:
sitename.com/ca/​​en/filename.ext (in case the country is Canada and french language) sitename.com/us/en/filename.ext (in case the country is United State and English language) sitename.com/eu/en/filename.ext (in case the country is Europe and English language) sitename.com/en/filename.ext (in case the country is not mentioned and English language)