Comment by BLKNSLVR
1 month ago
I have a script that logs IPs for any traffic coming in to my servers on ports that don't accept traffic. I then block those IPs from accessing ports behind which there are services.
If they're checking my locked doors, I don't want them coming in my unlocked doors.
This might be a good idea, but consider banning them for, say, a couple hours at a time. It’s easy to rotate IP, especially if you’re using a residential proxy service, and there’s a good chance you’ll end up blocking real users using the same ISP.
yeah, I'm using https://proxybase.xyz for this. It's like Mullvad but for proxies. No kyc, no email but supports xmr.
You should put your business (https://proxybase.xyz) in your HN profile. It might help to find more customers.
2 replies →
Do they say how do they have access to those IPs? Most residential IPs are malware-infected devices.
3 replies →
Is this your service? Since you've made seven posts to HN about it and also your username shows up in the commits on their GitHub.
Because I'm quite curious on where the IPs are from. Usually residential IPs is a fancy wording for malware infested devices from regular people.
8 replies →
I like the API-centric nature of it. $10/GB seems a bit steep though, especially compared to Mullvad’s 5 €/mo.
Search for “mobile proxy” – those are usually cheap-ish monthly subscriptions, with unlimited traffic, and often an API to rotate the IP programmatically if you need it. No KYC, but you usually do have to sign up with an email.
@ notpushkin,
yes, it's a bit more expensive because it's for different use cases. You can't use VPNs or Mullvad for anything mission critical. Just try to log in to your bank in US, it will increase your risk score on their end because VPNs by nature are very easy to detect whereas "residential proxies" much harder.
3 replies →
There are a lot of legit scanners that look for problems to proactively warn the owner, so the mere presence of a packet on a port you aren't advertising somewhere is maybe a bit overkill, but if you think this is abuse: have you considered also reporting the abuse to the originating ISP? Otherwise they can never take action against that subscriber and the blocked IPs will just impact people that come after. ISPs that work with you and terminate subscribers that abuse their service should maybe not be blocked for more than a typical IP lease duration
> There are a lot of legit scanners that look for problems to proactively warn the owner
In my experience, most of the scanner firms seem to be creating their own maps of as much of the internet as they can get their grubby hands on, and then sell API access to their database of all services running on all the open ports on all the IP addresses they've probed and scanned and scraped.
Firstly, I don't want my shit listed in these databases. Secondly, the traffic is probably negligible, but it's still coming down my pipes (tubes) without an invitation, and I don't like that, plus they then profit off this uninvited behaviour. It rubs me the wrong way.
Finally, I highly doubt that (m)any of these services are doing it for altruistic purposes. They're doing it for reasons of profit, and then downstream of this is likely access by various intelligence agencies to this data.
I just don't think they have a right to this data.
> but if you think this is abuse: have you considered also reporting the abuse to the originating ISP?
That's a good point, and if I can automate that, then I will, but I don't consider it a priority. Finding the party ultimately responsible for an IP address isn't a particularly simple process.
It should be automateable, yes. Different RIRs (regional internet registries), which all operate their own WHOIS databases, might handle this differently but generally you should be able to get an abuse contact in an automated fashion for exactly this purpose
> most of the scanner firms seem to be creating their own maps of as much of the internet as they can get their grubby hands on, and then sell API access to their database
Yeah, sure, a lot of scanners are run by black or gray hats. Just saying that all options are on the table and blocking (or even reporting) e.g. the non-profit .nl operator organization for scanning tcp:443 on all the A/AAAA records of .nl domains is going to do much good
(Example of what they're doing: https://www.sidn.nl/en/news-and-blogs/new-system-for-logo-ba...)
Closed ports are not "locked doors", and open ports are not "unlocked doors"
That is a binary thought process with a lot of assumptions. You might introduce even more attack surface in pursuit of this "security" measure by installing additional software like fail2ban, for example. Close your ports, maybe assign a non-standard port to the popular ones (like SSH) to reduce log spam, and patch your server often. Anything more complicated than that is not worth it, IMO.
I thought, and still think, it's a good analogy.
That’s nice, I need to implement this.