Our great sponsors
-
crowdsec
CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
-
IP2Location-PHP-Module
This module is a PHP module that enables the user to find the country, region, city, coordinates, zip code, ISP, domain name, timezone, connection speed, IDD code, area code, weather station code, weather station name, mobile, usage types, address type, IAB category, etc that any IP address or host name originates from.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
country-ip-blocks
CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly. This is a read-only mirror.
-
masscan
TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
That's one of many reason why https://crowdsec.net/ was created. It collects (anonymized) threat intelligence from all users, vets it and distributes it as relevant blocklists. Once there's enough users it will be a very effective way to fight bad guys. And unlike your suggestion it DOES make a difference. Currently around 800k signals are collected daily and there's around 19k vetted malevolent ips distributed to users.
I used to do this with a local copy of the IP2Location database [1]. This way you don't have to poll a third party. The caveat is you have to keep the database up to date.
https://www.ip2location.com/
I once made a very similar visualization to see where people are trying to attack my servers from by adapting (e.g. use local geoip database file instead of ipinfo service) the Python script from [1], which uses folium to generate an interactive (standalone HTML file) heatmap of IP address locations.
[1] https://github.com/meesaltena/SSHHeatmap
[2] https://github.com/python-visualization/folium
Looks not-so reliable. Either fetches a list of blocks from https://github.com/herrbischoff/country-ip-blocks which is a random GitHub repository that collects "straight from the Regional Internet Registries" without any stating any sources nor method for gathering it (which also, I'm assuming, is self-reported data from those registries), or it fetches it from https://www.ipdeny.com/ which currently runs with an expired TLS certificate, which on top of everything, nft-blackhole ignores any issues with certificates anyways, leaving it wide open to MITM attacks (https://github.com/tomasz-c/nft-blackhole/blob/8a656ac0a803a...)
I wouldn't run that if I'd want something to reliably block someone from a specific country.
Looks not-so reliable. Either fetches a list of blocks from https://github.com/herrbischoff/country-ip-blocks which is a random GitHub repository that collects "straight from the Regional Internet Registries" without any stating any sources nor method for gathering it (which also, I'm assuming, is self-reported data from those registries), or it fetches it from https://www.ipdeny.com/ which currently runs with an expired TLS certificate, which on top of everything, nft-blackhole ignores any issues with certificates anyways, leaving it wide open to MITM attacks (https://github.com/tomasz-c/nft-blackhole/blob/8a656ac0a803a...)
I wouldn't run that if I'd want something to reliably block someone from a specific country.
Indeed. The author could have spent 15 minutes setting up Tailscale [0] and not expose any listening administration ports to the Internet at all. If they wanted to avoid a hosted service, Wireguard alone is incredibly defensive against attackers who do not have access to the secret material. Tailscale basically just adds some NAT traversal [1] and OIDC login wrappers.
[0]: https://tailscale.com/
[1]: https://tailscale.com/blog/how-nat-traversal-works/
masscan with the right setup (namely hardware + drivers but also connection obviously) can scan the entire IPv4 space (+ all ports) in ~5 minutes.
Source Code: https://github.com/robertdavidgraham/masscan
Article from PoC || GTFO with more internal details on how it works: https://www.alchemistowl.org/pocorgtfo/pocorgtfo15.pdf (Page 66) [Note: PDF is both a valid PDF + valid ZIP file with source code]
An upgrade to port knocking is Single Packet Authorization [1]. It doesn’t suffer from the observability, and other, problems of port knocking.
[1] https://www.cipherdyne.org/fwknop/