Do you do any business In China what so ever? If you do not why not just block all of China? It would stop them at least from coming from that region at least.

Another question are the Injection attacks doing harm to your website? If they are block them sooner then later to give you more time to fix the problems.

I know websites I manage get hit all the time with any number of injection/php/exploiots attempts every day. I have secured my site and codebase so these attempts just result in 403, and them added to a black list of ip's and ranges. So they only get one try before they get black listed from further attempts.

Ocean1000

and them added to a black list of ip's and ranges

I have as well done this only to get calls from customers asking why they can get on my site. This to me rings with problems because hackers usually are working from a hacked computer or server.

I agree with the part about if your not doing business in x country then yes you can block that but the other I feel needs to be done with extreme caution.

Honestly, if I were you I wouldn't worry so much about stopping "a hacker", whom I suspect is more of an automated bot than an actual person.

Instead put your efforts into addressing the vulnerabilities themselves and close those holes up.

It might not even be the same person/bot doing this each time.

Ocean mentioned this but to elaborate some more.... what happens is bots will crawl sites and attempt to hit URLs like /VTI BIN or /PHPMYADMIN and other URLs that give info about the services running on your site.

Sites that return a 404/3 or whatever are ignored, sites that resolve the URL will be logged as a site with potential vulnerabilities, then either the bot will continue to make some automated attempts at compromising your server, OR someone who receives the logs of sites that are potential victims may come and make an attempt themselves.

If they succeed in "hacking" your site then usually what happens next is they automate the hacking so a bot can come back every day/hour/minute and do the dirty work for them.

There are literally 1000s of people trying this on sites daily. Finding 1 IP or a range of IPs and blocking them will not stop the problem. It will continue in perpetuity.

Find the hole and close it. Then you can work on trying to log these instances, once you start logging these things you will see how often attempts are made on your site.

I for one am not a fan of blocking IPs unless it is clear that the IP is highly suspect.

Most of the attempts will come from Zombie computers who's users don't even know their computer is performing these operations if they route through a proxy then banning IPs is pointless.

[edited by: Demaestro at 5:27 pm (utc) on Sep. 10, 2009]

Injection/exploit attempts I treat as a major threat, and do not give that computer many future attempts to find a hole. Do to the industry I mainly work in, I can not take that many chances. Most of the clients have IT staff and maintain there computers and networks. If I find out an IP comes from an clients range, it usually means a lot of paperwork on my part documenting it, and notifying everyone that is needed. I usually only have to deal with US based branches, so I can block all foreign countries without any worries for the secured sites.

[edited by: Ocean10000 at 5:34 pm (utc) on Sep. 10, 2009]

Ocean that is a good policy when dealing with a specific country.

The nature of the site and the sensitivity of data on the webserver are definitely key factors in deciding how to deal with these things.

The severity of the exploit is also a factor. If all they are trying to do is put some files into the public folder then I usually leave that alone.

If they are trying to make an SSH connection or something like that then it is time to nuke their IP.

Regardless you can't leave holes open and try to block people who are exploiting them. You HAVE TO close the holes, then decide what to do about people trying to open them back up.