Spam and brutforce attacks

Datum

de-icon en-icon

How can you defend yourself?

For some months now, the attacks on my website have been steadily increasing and have reached a level that I could no longer ignore. For this reason, it has not been possible for me to post new articles.

There are services that stop requests from malicious IDs that have already been identified, but unfortunately many of these programs fail. It’s only right to give up your naivety and realize that there are certainly services that trigger floods of spam themselves in order to lure the website operator into a subscription. This is not to cast aspersions on the good intentions of most reputable providers – but that is the world we live in today.

It is possible to exclude these IPs via the htaccess configuration file. However, a better method is to pass a blacklist directly to the server. The huge blacklists of the subscription providers, which you can also find on the net free of charge, can usually not be written to the rented server, the provider protects them from overload, because the lists are extensive. They have entries between 35000 and 420000 IP addresses, maybe some even more – that’s what I found.

The only thing left to do is to write out the spammers manually.

IP addresses that have accessed your website are logged. The folder you will find in your account is usually called „log“ or similar. Here you will find many packed text files, but the current accesses are in a normal, unpacked text file and can be opened with a simple text editor. You will then see one IP address per line and further information, including what this user has accessed, a page, an image, a video, etc. If an IP address has repeatedly tried to access your login page, it is likely to have been a brute force attack. However, you can also have an IP address checked manually online, e.g. with this Service

Attackers often have a range of IP addresses, so you should simply block a range of addresses.

/32 is the most specific and „highest“ prefix in the CIDR notation. It is unnecessary if you only want to address or block a single IP address, because then you can also note the IP address without a prefix.

Yes, the /32 prefix is the highest and most specific entry in the CIDR notation, and it represents exactly a single IP address. Why is /32 the highest meaningful entry?

/32 means that all 32 bits of the IP address are fixed. There are exactly 32 bits in an IPv4 address (e.g. 192.168.1.1). If you specify a /32 prefix, you are specifying a very specific IP address with no scope for other addresses. This means that only this one address is meant.

Examples:

192.168.1.1/32 means only the IP address 192.168.1.1. There are no other IP addresses that fall within this range. 195.2.74.148/32 refers only to the IP address 195.2.74.148 and no other.

Further prefixes and their meaning:

/31: Covers 2 IP addresses.
/30: Covers 4 IP addresses.
/24: Covers 256 IP addresses (e.g. 192.168.1.0/24 for the range 192.168.1.0 to 192.168.1.255).
/0: Covers all IPv4 addresses.

195.2.74.148/23 covers the range from 195.2.74.0 to 195.2.75.255. A total of 512 IP addresses are covered.

With an online calculator it is very easy, because if you don’t have to do this often, the puzzling „What was that again“ starts all over again.





← Älter Neuer →