I have a malicious subnet whihc insist in scanning my server. I blocked the entire subnet:
89.248.165.0/24 in my blocklist. Everything else in the blocklist works fine, but this one, despite being BLOCKED, is still scanning my servers.
What right has ANYONE got to scan my servers when they are blocked?
What can I do about it?
what blocklist?
you need to put the address in your firewall rules on the WAN interface.
I have a blocklist of my own that sits on one of my servers. There's over 100 blocked IP's of would-be hackers. It's set to update every 6 minutes and it does. Works fine
I checked Diagnostics --> Aliases and the IP address is there BLOCKED, but that same IP is still scanning my servers for 2 days now.
HOW IS THIS POSSIBLE? and what can I do to kick him off? OPNSense obviously isn't doing it!
Port scanning is a fact of life for anything connected to the Internet. Several of the scanners have agreements with your ISP to allow scanning of their address space and that is the price you pay for their services. Services like Censys and Shodan are helpful in Internet security research and actually help limit the number of port scans going on because researchers and "would-be hackers" can use this information here instead of running their own scan.
All that said, you should be able to block the subnet in question with a firewall rule in OPNSense. The traffic will still reach the OPNSense box, but you can ensure that the traffic is stopped there and not forwarded to services on the OPNSense box or to boxen "behind" OPNSense.
If I understand correctly, you would want to go to "Firewall" -> "Rules" -> "WAN" (Or whichever is the name of the upstream interface being scanned. Then you would add the rule set to "BLOCK" for that IP Range. If you've done this and it's not working, could you post a screenshot of your rule or dump the firewall config and post that? Then we can help you troubleshoot and identify if this a bug in need of fixing.
Cheers!
Topher
Quote from: Mikheil on July 02, 2022, 12:12:40 AM
I have a blocklist of my own that sits on one of my servers. There's over 100 blocked IP's of would-be hackers. It's set to update every 6 minutes and it does. Works fine
I checked Diagnostics --> Aliases and the IP address is there BLOCKED, but that same IP is still scanning my servers for 2 days now.
HOW IS THIS POSSIBLE? and what can I do to kick him off? OPNSense obviously isn't doing it!
Just to be clear, you're saying that subnet is getting through your firewall and scanning your actual servers or do you see that subnet scanning your WAN address?
My mail server. It's gone on for days using different IP's from the same subnet. It's my own server, not a hosting company.
Accepted POP3 connection with: 89.248.165.54
03:07:01 3B0 *** NEW PHYS. CONNECTION, Tbl Entry=0, Socket=59
03:07:01 470 Accepted POP3 connection with: 89.248.165.54
03:07:01 470 *** NEW PHYS. CONNECTION, Tbl Entry=1, Socket=75
03:07:01 30E Accepted POP3 connection with: 89.248.165.54
03:07:01 30E *** NEW PHYS. CONNECTION, Tbl Entry=2, Socket=117
I forgot, I have a facility on my mail server to block addresses. It was blank, but I added the subnet to it yesterday and it stopped dead. It's very worrying that someone seems to be able to penetrate the firewall, though.
I would suspect that whoever it is is NOT 'a guy on the street'.
HOW PRECISELY are you trying to block this network on your firewall?
By following precisely the instructions.
I have a text file with IP addresses that attempt to hack any of my servers. When I find one, I add it to the blocklist. The blocklist is hosted at another site. It refreshed ever 5 minutes.
It's setup EXACTLY like the spamhaus blockist. Aliases in LAN and WAN and rules entry like spamhaus.
IT WORKS because I check Diagnostics --> Aliases and the addresses show up after 5 minutes. and the would-be hacker, stops his shit. I'm not prepared to keep on and on trying to explain. Whilst you keep arguing I'm a fool.
I can see you don't believe a word and that I'm some kind of idiot, so this conversation is CLOSED.
Just because I'm retired and 81 after working with computers with Novell, Microsoft and Apple since 1980 and before that on PDP11s. I am NOT prepared to be treated like a small child. Just carry on and forget I bothered to inform you.
I am not assuming you are an idiot. I can only help diagnose a problem when I have full information. So you have a block list. Good. Did you create a firewall rule on the WAN interface using this list/alias? If yes, what does it look like?
You started a discussion with "I have this block list and it doesn't work." I was trying to help find out why it doesn't work as expected. How do you think I should go about that without ALL information in detail? Look into a crystal ball?
As I replied to your OP, I am with pmhausen that you have provided nothing in regards to configuration that is not working...
I understand that your concern about a malicious subnet scanning your server is a serious issue. While the thread may be a year old, cybersecurity concerns can persist, and it's important to address them effectively.
In cases like this, seeking professional assistance from experts in cybersecurity is still a valuable option. hireahacker.co.uk (https://hireahacker.co.uk/) remains a platform where you can find skilled professionals who can assess your situation and provide solutions to enhance your server's security.
Don't hesitate to take action to protect your online assets, even if the thread is older.
You cannot prevent anyone from scanning. You can only block the traffic. Which will show in your firewall logs once done. Yes, they will still be scanning, and those scans will still be reaching your firewall.
Only your ISP can block traffic from reaching your firewall.