These days online attacks on your server and/or your web site can come from any corner of the world.
Every Tom, Mikhail, Mohammed and Ramesh with a penetration testing Linux distribution and a toolkit of free automated hacking scripts is on testosterone overdrive and out to wreak havoc online.
A lot of the online attacks are from bored youngsters looking for macho ego thrills.
But the more damaging attacks coming from sophisticated non-state actors (often Russian, Turkish and Ukrainian mercenaries) and state actors (frequently the Chinese Military, Iranian military, NYPD, NSA and FBI) are more complex, more relentless and harder to thwart.
As an administrator for a Linux server, I’ve endured and suffered considerable attacks including some that have been relentless and of long-standing nature.
Let’s be clear that there’s nothing you can do to stop the hail of online attacks.
You can only manage them.
It’s not as if the world went to dogs after the arrival of the Internet. Humanity has always been the dregs. The Internet is merely a new arena for humans to attack each other.
One key way to control the magnitude of external attacks on your server, blog or web site is geo-blocking.
In other words, focus your attention on some countries.
Because online attacks from some countries are more common and more intensive than attacks from other countries.
As a Linux server administrator regularly analyzing log files, I see the following 15 countries leading both in the number of attacks and their severity:
* US (Ohio, upstate New York, Nevada, NYC, Kansas City, Southern California, Utah)
* India (Mumbai, Bangalore, Noida)
It’s, of course, possible that some of the attacks from Brazil or Thailand could actually be coming from commandeered computers infected with malware.
But I’m inclined to believe that countries like Brazil, Turkey, Iran, India, Thailand and Pakistan are expanding their armoury of hacking tools.
Blocking all or at least the offending IPs from those countries is a starting point to secure your server and web site.
How to Manage Attacks
To start with, you can block IPs and CIDRs from these countries using tools like IPtables, fail2ban, null route and special Apache modules (I will provide specifics on each method in later posts).
There are plenty of free country-specific databases that let you block access at the country level.
Also, keep an eye on log files like httpd error logs, mail logs and VSFTPD logs since they provide valuable clues as to the geographic origin of the attacks.