Tag: firewall

Weird times mean New Rules – UFW

2022-03-29 / spierzchala / 0 Comments

I added many new UFW rules and other security measures to my Ubuntu server as a result of all the weird things happening in Europe right now. There was a time when I would have done this immediately after building the server, but I have been getting lax in my old age

I also added a number of DENY rules to stop HTTP site scanning. I haven’t had to block a /8 yet, but there are a few /16 and /15 networks in my deny list. This with some well-placed .htaccess rules made many annoying bots go away.

In my research, I have found that there is a desire to completely block entire countries (you know who you are). Doing so with CIDR-based firewall rules is intensive – the UFW ruleset for one of the countries had 24,000+ CIDR blocks!

If you are running home servers, I highly recommend blocking SSH from as much of the internet as possible. As well, keep up-to-date with security patches and block all the stupid ways people can use your servers.

And make sure your cable router/device in front of your network is blocking everything except the most important stuff.

More Stupid Trackback and Comment Spammers

2005-06-02 / spierzchala / 0 Comments

Ok, started to notice a dramtic and sudden increase in traffic to my site yesterday. Turns out that all of these folks were headed to the same place at this host:

/index.php?disp=stats

So, when I checked this out, they were all indicating referrals from the usual illicit medication and adult sites.

<sigh> More trackback and comment spam.

Now, I know that this page exists in b2evolution, and it is a way for visitors to view my traffic stats. However, a link to this page does not exist in my main display page. The only link to my stats is to my StatCounter stats.

Enter mod_rewite.

A simple rule disposes with these morons.

RewriteCond %{QUERY_STRING} disp=stats
RewriteRule ^.*$ http://www.pierzchala.com:9080/ [R,L,NS]

Please do not attempt to load the redirected URL; you will get nothing. NADA! That port is set to be dropped by iptables, effectively hanging the client end as it attempts to make a TCP connection.

/sbin/iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 9080 -j DROP

I use iptables to handle a lot of these morons. As the only people who view this page are infected with some virus or spyware, then I feel no shame in tying up their systems.

Stupid attacking domain — andrewsaluk.com

2005-02-12 / spierzchala / 6 Comments

Looks like some bozo has managed to take over a large number of machines and launch some sort of zombie attack against blogs. If you see andrewsaluk.com filling up your referrer log, block the hosts. They are likely zombies.

Just checked the domain (IP address 211.180.238.254) — it originates in South Korea. Definitely points to either a script-kiddie or a zombie on a high-speed connection.