dstiles
msg:4546882 | 8:52 pm on Feb 19, 2013 (gmt 0) |
We see hundreds of phpadmin and similar requests each day, all trying to hack in. Unless you actually have phpadmin on your server it pays to block all accesses to that path. In my case I do not use php at all, so I can also block any script ending in .php.
As to the IP range - I have a LOT of softlayer ranges blocked - in fact, any IP range that looks anything like a server farm.
If the issue is new to you then learn how to block user-agents, scripts and IPs, then look through this forum for IP ranges and user-agents to block - there are hundreds of them! :)
And then there are the other headers...
|
keyplyr
msg:4546996 | 5:07 am on Feb 20, 2013 (gmt 0) |
| 159.253.128.0/19 = 159.253.128.0 - 159.253.159.255 |
|
Parts of that range doesn't check out as Softlayer. Where did you verify this?
|
lucy24
msg:4547065 | 11:49 am on Feb 20, 2013 (gmt 0) |
All's I know is, one of the worst robots I've met in my life came from that very neighborhood. 159.253.143.53 and ..145.175. They can try to hide behind /26 slivers but they sure do all look alike.
NG can't possibly be New Guinea can it?
:: shuffling papers ::
Nigeria. Figures.
|
wilderness
msg:4547072 | 1:15 pm on Feb 20, 2013 (gmt 0) |
I'm sure you site (s) are not advantageous to visitors from
afrinic
|
dstiles
msg:4547222 | 8:05 pm on Feb 20, 2013 (gmt 0) |
Keyplr - if the record is served up bu arin you need to scroll down to the bottom of the record:
inetnum: 159.253.128.0 - 159.253.159.255
netname: NL-SOFTLAYER-EU-20110921
descr: SoftLayer Dutch Holdings BV
country: NL
NOTE: Some ranges are /26 or whatever - put in a few IPs until you get the full range as above. I found the above for 159.253.139.0
|
keyplyr
msg:4547228 | 8:36 pm on Feb 20, 2013 (gmt 0) |
dstiles, I know how to use ARIN. That's not the point.
| Parts of that range doesn't check out as Softlayer. |
|
|
keyplyr
msg:4547250 | 10:04 pm on Feb 20, 2013 (gmt 0) |
This is what I have for Softlayer (including the above mentioned range which I believe has many holes in it. I had it broken up into 6 smaller ranges since my information shows Softlayer does not own the entire scope of that range.)
50.22.0.0 - 50.23.255.255
50.22.0.0/15
50.97.0.0 - 50.97.255.255
50.97.0.0/16
66.228.112.0 - 66.228.127.255
66.228.112.0/20
67.228.0.0 - 67.228.255.255
67.228.0.0/16
74.86.0.0 - 74.86.255.25
74.86.0.0/16
75.126.0.0 - 75.126.255.255
75.126.0.0/16
108.168.128.0 - 108.168.255.255
108.168.128.0/17
159.253.128.0 - 159.253.159.255
159.253.128.0/19
173.192.0.0 - 173.193.255.255
173.192.0.0/15
174.140.18.0 - 174.140.18.255
174.140.18.0/24
174.140.29.0 - 174.140.29.255
174.140.29.0/24
174.140.33.0 - 174.140.33.255
174.140.33.0/24
174.140.36.0 - 174.140.36.255
174.140.36.0/24
174.140.51.0 - 174.140.51.255
174.140.51.0/24
208.43.0.0 - 208.43.255.255
208.43.0.0/16
208.101.0.0 - 208.101.63.255
208.101.0.0/18
|
lucy24
msg:4547276 | 1:10 am on Feb 21, 2013 (gmt 0) |
If you don't believe it, why is it still on the list?
Softlayer may be subletting parts of its range to other entities-- it would hardly be the first-- but the chances of an undesirable host subletting to desirable humans are pretty slim. ("Oh, sorry, didn't realize it was a crack house. I'm just renting a room.")
|
keyplyr
msg:4547301 | 2:44 am on Feb 21, 2013 (gmt 0) |
| If you don't believe it, why is it still on the list? |
|
You answered your own question.
As I said, I had it divided up as 6 different smaller ranges that *did* show as Softlayer. The holes were all different companies with different hosts, none of them Softlayer, however in the big picture of things, I decided to fault on the side of probability :)
|
wilderness
msg:4547303 | 3:02 am on Feb 21, 2013 (gmt 0) |
I realize you kids are having fun in the sandbox. . . .
FWIW:
RewriteCond %{REMOTE_ADDR} ^159\.(121|134|14[789])\. [OR]
RewriteCond %{REMOTE_ADDR} ^159\.(213|224\.120|226|253)\. [OR]
|
dstiles
msg:4547643 | 9:26 pm on Feb 21, 2013 (gmt 0) |
Keyplr - the NETNAME seems to resolve to softlayer throughout the 159.253.128.0/19 range (I tried it every /23). The description and sometimes country vary but that is simply sub-letting. Most large companies sub-let.
|
keyplyr
msg:4547655 | 9:43 pm on Feb 21, 2013 (gmt 0) |
Thanks dstiles. I also think that up-to-date- info may take a while to propagate around. It would be interesting to find a source where we could view when IP ranges are sold/traded/assigned/re-allocated in real time.
Quite often I see that what I had noted as one company is now being listed at a WHOIS as another owner/host.
That's one argument for using CIDR for blocking instead of mod_rewrite. It gives a much clearer picture when ranges are inside of another without checking notes (ah'em Don - LOL.)
|
|
