2

In interest of improving security, does it make sense to block suspicious IPs on internet facing firewalls? Does anyone know of any reliable block lists?

Thanks, Mark

Mark
  • 21
  • 1
  • Not to state the obvious - but it should considered the ultimate solution. I implement a black list - but still get attacks from source not on the list. However, I believe the list helps to reduce the amount of headache. – terary Jan 18 '16 at 10:54

2 Answers2

1

Blocking suspicious IP's in firewall definitetly makes sense. Actually this a common measure applied by many IDS, IPS or firewall vendors for protection (Google also maintains it's own blacklist). Have a look at this wikipedia article on blackilist for some insight.

There are different companies/organisations that maintain and offer blacklists for free or at a cost as a service. Which one is best, depends on one's particular need. There are also very well known IDS software like Snort or firewall distribution such as Pfsense, can implement blacklists in a more automated and efficient manner.

Another good read from SANS: Protecting Home Devices from Malicious or Blacklisted Websites

Diamond
  • 9,001
  • 3
  • 24
  • 38
0

Yes, it makes a lot of sense to use blocklists. Especially the often updated lists include those used for DDoS from IoT devices and such, which then are at least temporarily kicked off when used anew in some botnet. It does require regular administration and checking though, but you should always check logs anyway, so that's not something new.

I use blocklists in 4 ways;

  • On my LAN I have my own dns resolver using dnsmasq. For this I use: https://gist.github.com/jult/4eba88bdd34a57cc79d6

  • On some servers/routers I use CSF/LFD scripts that control iptables (including ipset capabilities), and for those I use these blocks pretty successfully; https://gist.github.com/jult/e2087274f27933ce8574cf6d34ec5cd1#gistcomment-1917871 and I write "successfully" because I see the amount of blocks being logged thanks to all those.

  • Then I use a lot of blocking through postfix on my own mailserver, also very successful. Also to be found among my gists.

  • Last but not least I do like to use p2p networks and prefer to shield myself from snooping governments and the likes. Also listed among my gists on github.

Julius
  • 153
  • 3