On 02/26/2019 06:40 AM, Juha Kankare via arch-general wrote:
> I'm getting a lot of connections from China it seems. Whenever I check
> my journalctl, it's an andless wall of nginx complaints about a single
> ip spamming requests fro different php files. This happens with hundreds
> of ip's, and tens of times daily. Has anyone else been hit by this. I
> already made a shellscript to block all connections from China, but I'm
> curious as to why this happens, and if anyone else has had the same
> problem.
>
I take the sledge-hammer approach and simply block the entire APNIC and
AFRINIC IP blocks and a good portion of RIPE with ip-tables. Dramatically
reduces the amount of mischief coming from the internet. Then whitelist
specific IPs if needed for some individual package. Not optimal, but very,
very effective. Top 2 offenders are RIPE, China ranks number 3 and India
provides an impressive number 4 from 45.112.0.0/12 alone.
My Top-20 Offenders are:
Chain INPUT
pkts bytes Source
1 99639 5901K 185.0.0.0/8
2 27859 1671K 141.0.0.0/8
3 14529 792K 220.0.0.0/8
4 14188 1061K 45.112.0.0/12
5 12852 766K 213.0.0.0/8
6 11428 680K 89.0.0.0/8
7 9340 636K 193.0.0.0/8
8 9215 542K 46.0.0.0/8
9 8685 479K 91.0.0.0/8
10 8134 484K 180.0.0.0/8
11 7929 470K 93.0.0.0/8
12 7363 428K 5.0.0.0/8
13 7059 419K 109.0.0.0/8
14 5686 328K 202.0.0.0/8
15 5030 298K 85.0.0.0/8
16 4194 240K 195.0.0.0/8
17 4190 245K 178.0.0.0/8
18 4125 238K 188.0.0.0/8
19 4111 243K 77.0.0.0/8
20 3818 225K 80.0.0.0/8
--
David C. Rankin, J.D.,P.E.
