

Ask HN: Do you drop Chinese netblocks? - blhack

I've heard quite a few sys-admins talk about doing this.  Do any web-dev do it?  A site I just started working on is still small enough that I can tail -f /var/www/apache2/access_log and watch the traffic, and when I see an IP grab <i>just</i> the index, it's a pretty good indicator that it's not a human.<p>These are almost all coming from China.
======
iuguy
If you don't want to serve traffic to china, and you don't want to respond to
requests for traffic you don't serve block it at the firewall level.

Other than that, it's not a reliable indicator of activity from China (as it
could be a box that was popped that just happens to be in China, or someone
could've got hosting in China, or a million and one other possible
combinations).

------
bmelton
I generally do, yes. Working on the app I'm working on now, I can start the
webserver and see hits to various exploitable assets on my server within about
10 seconds. This is for a site that doesn't exist yet, on a subdomain that
isn't easily guessable, on a domain that hasn't been registered for a solid
month yet.

I have little doubt these IP addresses are from China, as they always are,
every time that I investigate, but yeah, generally these get blocked out
before launch.

If you're looking for it, there are country-specific blacklists all over the
web, but the safer strategy (if you don't want to block out a bajillion
potential users) is to look for suspicious activity and auto-blacklist.

Hits to phpmyadmin, 1st.cgi, etc., automatically get blacklisted. A good
sysadmin would do the same for portscans and intrusion attempts on non-web
ports as well.

~~~
blhack
Haha, I love that.

phpmyadmin.cgi:

#!/bin/python

import os

print "content-type:text/html"

print

bad_person = os.environ['REMOTE_ADDR']

os.system("iptables -a INPUT -p tcp -s %s -j drop" % (bad_person))

print "<HTML>"

print "you totally found it!"

print "</html>"

