On 11/10/2010, at 1:29 PM, Ben Donohue wrote: > I'm running an ecommerce site and currently I only deal with Australian > shoppers. > > However there are many hacking attempts from non Aussie IP addresses. > > I'm looking at blocking everything that is non-Australian. > > Has anyone done this? Any issues/ gotcha's/ tips/ etc? > > Should I do it at the ISP or iptables? (would need a hand with IP tables) > > I've found geoip, still looking into it.
I've thought about doing the same, but it's only a bandaid. It might stop the zombie probes, but won't stop a targeted attack, which will use a compromised host in australia to relay through and probably break in through the web server. What sort of attacks are you seeing? A lot of the attacks I see are harmless zombie probes looking for old and well know exploits on unpatched systems, or brute force password attacks on ssh. ie if you keep your system up to date, and use good passwords, or better, keys, you shouldn't be bothered by the probes. The biggest risk as I see it is the web software, sql injection, xss, etc. As far as iptables is concerned, it's legitimate traffic, you need to look inside the web requests coming in, ie deep packet inspection. Also do penetration testing. If you're running apache, look at mod_security. -- http://chesterton.id.au/blog/ http://barrang.com.au/linux/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
