STOP Attacker before attack happen

Stas shared this idea 3 weeks ago
Open Discussion

As a server administrator I would like cPanel to integrate with third-party monitoring services to allow me to filter traffic in my sever's firewall according to IP addresses managed by third parties, allowing me to more easily block traffic from known-malicious IPs that have no reason to log into my server.

For example, I would input the URL of a third party monitoring service, and cPanel would regularly ensure that the IP addresses in that third party list were blocked in my firewall.

Comments (6)

photo
1

Isn't this already possible with mod security ?

You might also want to check out CloudLinux's Imunify 360 that does this as part of their product.

photo
1

Hello.

As we know it isn't.

We like use share database of low reputation IP addresses which do not have access to the server like SPAM blacklist.

Example:

Abuser attack server A. Server A report abuser IP address to share database.

All other services who use share databases prevent any interaction with abuser IP address.

IP address on this list cannot connect to the server.

photo
2

Hi Stas,

It turns out malicious servers scan our networks by IP range and when security system bock, it go to the next IP.

It is for this reason that our Security Operations Center has put a security information management system (SIM) in order to view and manage thoses attacks and block them preventively on our other servers.

The BlockingList is very easy to use, go to WHM >> ConfigServer Security & Firewall >> lfd Blocklist and add this code at the end of file:

  1. # GreenSnow Hack List
  2. # Details: https://greensnow.co
  3. GREENSNOW|3600|0|http://blocklist.greensnow.co/greensnow.txt

Enjoy tranquility !

If you wish to participate in the blocklist with honeypots, please contact me via the contact page.

photo
1
photo
1

modsec is for amateurs...

Look at CSF blocklists..... also : https://greensnow.co/, which uses csf iptables

This will help you for most virulent ones, but you can't fight the whole world, since 10% IPs are bad :). Don't overcharge csf iptables, this can lead to a freeze of CSF, then server crash

We use nginx, and map custom settings to block big list when we want, just an exmaple, custom security is not on catalogue, and is large... We block countries like RU, CN, UA (because most come from here), and client can allow them if he wants thanks to an advanced nginx plugin system too....

photo
1

Thank you!

We found this "csf.blacklist". And it could be that what we are searching for.

How it works map custom settings for big list?