Is blacklisting IP addresses a waste of time?

Question

After months of logging, I have collated a list of rogue IP addresses trying to perform SSH brute-force logins, send SPAM, hack Wordpress admin logins, upload spammy links, etc:

SSH logins
SRC             Count
222.186.15.202  121
115.231.218.23  114
218.77.79.43    97
103.41.124.60   80
61.160.224.128  47
...

So far nothing untoward has happened to my server. I was wondering, what should I do with this blacklist. I have over 1500 unique IP addresses distributed across 1000 different /24 subnets. Blocking all of them would introduce additional workload on my server.

Is there any value for an IP addresses blacklist?

Answer 1

Blocking a couple thousands of IP addresses will not incur significant load on your webserver. If you are using iptables, the overhead is pretty negligible.

I have implemented fail2ban on my server, and it blacklists everybody trying a bruteforce on my server. Portscanning gets the ban hammer too. It gives a temporary ban (I configured it to 6 hours), so I don't have an enormous list of blacklisted addresses, and the attacker gives up on my server way before the ban expires.

You can use fail2ban to protect Wordpress too, and Apache. If anyone gets too much HTTP-404 errors in a timeframe, ban them. If they send spam, ban them.

As the vast majority of the attacks today are not directed attacks, a blacklist will make the attacker (or bot) leave your server and attack the next on the list. It's not to make your server unbeatable, but to make it less interesting than the next on the list.

Answer 2

IP Blacklists are still valuable, but you need to understand the scope. If an IP is scanning, probing, DoS'ing you, then a simple ban at the firewall level is a simple, easy, and fast way to stop that ONE IP from doing potential harm. But, in no way should you consider that IP to be the true threat. It is a single threat right now. Attackers can change IP, and the blocked IP can end up being assigned to a legitimate user.

IP Blacklists ARE useful in the short term to provide immediate remedy to a single vector of attack. If you understand that scope, then you can better evaluate it against the risks for your environment.

Answer 3

Your question is so broad to answer as there is so much you could do.

You should really look at every port used on your server and filter them as much as you can. Don't use or need port? Then block it completely.

For example of firewall policy:

1. SSH should be whitelist IPs
2. FTP should be whitelist IPs (depending on what account can do)
3. HTTP/HTTPS should use blacklist IPs only but remember what @Travis Pessetto said above.
4. Block any other traffic on ports which are not used.

WordPress now your talking vendor specific related tasks:

• Use a custom URL for your admin page
• Use nofollow attribute to tell the search engine crawler to stop but don't list in in your .htaccess as you'll be exposing the hidden links to everyone

Uploading spamming links?

• Use a captcha for posts and upload boxes
• Limit the user activity by x posts per y amount of time per user account.
• Limit the user activity by x posts per y amount of time per IP (Much higher threshold than the user account though)

The list goes on and on. I hope I've covered few basics which you can look into.

Answer 4

I would say blacklisting a public ip is fairly useless if the attacker is motivated they will simply change it.

Blacklisting a internal ip on the other hand can provide some benefits ( for example if you have your public website or a portion of it hosted from inside your internal network ) it would be extremely prudent to blacklist that IP address from as many machines as practical. Since you don't really want a attacker coming in via a hole in Wordpress and be a step away from your payroll systems.

Answer 5

blacklisting a public ip is only useful if done for a short period op time, say 8 hours. Enough to free the server for some time and long enough for the attacker to give up.