Country IP blocks outdated?

gaia · **Joined:** Tue Jun 09, 2009 12:57 pm **Posts:** 133

Though I've country-blocked both Koreas and China in ASL, I've recently noticed WAF entries and failed SSH logins from the following IPs, which according to IP2Location belong in China and Korea.

Code:

136.149.212
86.128.22
160.250.78

gaia · **Joined:** Tue Jun 09, 2009 12:57 pm **Posts:** 133

Shouldn't those IPs be blocked?

scott · **Posted:** Fri Jul 13, 2012 6:39 pm

Sure, assuming they are right. Do you know they are right?

gaia · **Joined:** Tue Jun 09, 2009 12:57 pm **Posts:** 133

scott wrote:

Sure, assuming they are right. Do you know they are right?

yes those IPs were lifted from the alerts and the country-block rules double checked...

gaia · **Joined:** Tue Jun 09, 2009 12:57 pm **Posts:** 133

Whats the consensus on this one?

scott · **Posted:** Wed Jul 18, 2012 8:45 am

No problem, we'll add those in today.

gaia · **Joined:** Tue Jun 09, 2009 12:57 pm **Posts:** 133

Where do the country IP blocks used in ASL come from? Wouldnt it be wise to offer a subscription option where higher quality IP lists could be used (like maxmind or similar)?

If I block just FIVE countries (which have never purchased anything anyways) I will have a 90% reduction in OSSEC alerts. The China netblock, for example, has a lot of holes. These just popped up today, though the entire country is supposed to be blocked:

Code:

   123.138.21.0 - 123.138.21.255
   222.90.0.0 - 222.91.255.255
   113.0.0.0 - 113.255.255.255

mikeshinn · **Posted:** Thu Aug 09, 2012 12:49 pm

maxmind is already one of the sources, if you use their DB you will see that even their database did not have these changes in it yet.

Country IP blocks outdated?

Who is online