Best practices for blocking IP addresses (need other opinions)

Kiekeboe100

Verified User
Joined
Apr 19, 2008
Messages
146
Location
Belgium
Hello,

At the moment I have both DirectAdmin BFM and CSF that to checks in the log files to block IP addresses.
I do almost immediately a permanent block, but with a max of x IP addresses (400 I think), so ultimately after a while the IP is unblocked again.

Now I am seeing more and more blocks for IP's from my own country. When investigating this I see that these are almost always because of failed logins to POP3 or IMAP.

What do you guys do with this? This is probably because they changed their password, but forgot that a long time ago they installed app x to check their e-mail on tablet y (that 's begin used by the kids now).

I was thinking about skipping POP3/IMAP failures, but then again, if a POP3 account is brute-forces, it could be devastating. If an account is compromised it could be used to send spam. And yes there is a limit to max outgoing messages, but still, a lot of damage could be done.


Stijn
 
I have the same you have, so CSF and I use a different script to let CSF handle the BFM messages which works find.
My limits are a lot higher though because of more memory and cpu resources on the server maybe.

However sometimes there are waves of hacking attempts from various country's, often from China and Russia but sometimes from bots over the whole world which can take weeks.
So I almost never use then the limits are filled fast indeed.

In "normal" times when there are none of these waves, it's a good time to educate the users. I just have a certain limit of blocking. At first they get a block for several hours or minutes, depending on your choice.
In CSF there is an option to give a perm block if some ip has a certain amount of temp blocks.
This way you can ease the situation. For users who change their pass. A couple of temp blocks is no issue until they reach the limit and run into a permanent block.
Mostly after a couple of tests, they get it right and don't run in the perm block.

In other cases, it's a good way to educate the users to note their password somewhere, because they will surely contact you if they can't send or receive mail or reach the server at all.
After a couple of times... they take more care about changing passwords or not keeping them safe somewhere if they tend to forget them.
That helps a lot.

Next to that I also use some screenshots so users can easily see how to set up their mail clients.

So imho, less fast perm blocks, and more perm blocks after having a multiple temp blocks works best with e-mail.
 
Back
Top