My server is under DDoS attack.
I would like to know if it is possible to block all possible IP from 0.0.0.0 to 255.255.255.255 or all countries. And alow only some IP/countries ?
My website need traffics from 4 countries, the rest can be banned but I don't want to ban each countries 1 by 1.
This wouldn't be something CloudFlare could help setup for you, since it would actually be commands you would do server side (we don't touch or manage your server). Your hosting provider should be able to help. We don't have that option available in CloudFlare's Threat Control at this time.
Note: This might help with blocking countries on your server.
You also want to make sure that CloudFlare's IPs aren't being blocked. Some of our IP space appears to be from countries other than the USA.
Related
I'm working in a building where you rent a room for the office work. We have our server in one of the rooms and other employees in other rooms. The problem is that server needs its own network (don't ask why. Too much to explain) so we set up a VPN on the Mikrotik router (RouterOS 6.48.1). While connecting from home works perfectly, doing that from other rooms does not work. I was searching a lot about firewall and NAT rules but I can't find anything that will help me. In the picture cut-out area is the external address. Let's say it's 2.2.2.2
So I want employees from other rooms to be able to connect to VPN from My room to 192.168.43.2 router so he/she will be able to connect to devices available there.
There are many ways by which you can do this. One of the easiest way is add a rule of allowing incoming and outgoing traffic of your subnet in firewall rules. Here allow 192.168.0.0 , 0.0 will work as wildcard so be careful while using it. Also if you have manually configured routing configuration on router for vpn add both the network address in route table to make them communicate.
I want to set custom port tcp to login cms for example wordpress.
¿This is possible?
(but set normal port 80 to entire site)
For example in cpanel whm, there have different ports 2086 not ssl and 2087 ssl
With tool like ipset (iptables in linux) can I block entire contry according to range ip and port, for example can I just allow my country to request specified port.
Another better method is use layer 2 firewall like google compute engine and block ranges of ips relation to specified port.
Sorry for this question maybe is not good.
Again:
¿Can I do this in a cms like wordpress?
Note: I know about Deny all in .htaccess.
I know about set just ssl to wp-admin.
I know i can change to rute wp-admin another alias name.
You can develop a simple bash script to download ip addresses for a particular country (represented as a zone) from ipdeny.com. The bash command would be something like:
wget -qNP [dir] http://www.ipdeny.com/ipblocks/data/countries/XX.zone
Where [dir] is the directory you wish to store the zone file containing the list of ip addresses for the country; and XX is the two character country zone code.
You can then read the ip addresses into an ipset using the strategy described at:https://www.hueyise.com/index.php/linux-dynamic-ip-address-blocking... however, this strategy applies specifically to dynamically blocking malicious ip addresses (e.g., hackers) that are discovered during operations and blocking them immediately.
I successfully implement a tailored version of this strategy to automatically download ip addresses for certain countries once per day, and then read the ip addresses into an ipset defined for blocking inbound/outbound accesses by these countries.
I an trying to setup a server system at home because I recently switched ISP's.
I own the vrakiver.net domain name through the register.com registrar.
My ISP provides a static IP to my DD-WRT router.
I have 2 computers setup with static IP's:
1st: "server" with IP 192.168.1.102
2nd: "g5" with IP 192.168.1.100
I from within the LAN I can connect to either with server.local or g5.local or at their respective IP's.
I Would Like to set up the system so that I can use g5.vrakiver.net from anywhere in the world to access "g5" and server.vrakiver.net to access "server"
Port forwarding isn't going to cut it, because I need access to all the ports of both devices. (But not necessarily at the same time)
I read something somewhere about some systems asking what domain the user was directed from and then deciding where to route based on that.
* I Think this should be physically posible, beacuse it would be so easy on IPv6, just set the domain record to each hosts publicly accessible IP.*
Thanks in advance for any advice on this you can give.
I'm afraid what you're trying to achieve is not possible.
Your clients will first resolve server.vrakiver.net or g5.vrakiver.net before contacting your router.
As the resolution yields the same IP adress, your router has no way to know which name has been used.
We would like to use the Google Translate API from a host which doesn't have open access to the Internet. To setup the firewall rules I would need the list of possible IP addresses for www.googleapis.com. It is resolved to different IP addresses depending on the location. It seems to be difficult to create a future proof firewall rule.
Do you know how could I get the list of IP addresses or network ranges for the Google API servers?
The IP addresses used for any given googleapis.com server could change. Google doesn't have just one network block which they host all of their content out of, they have a bunch of them - and they change over time.
There are several ways you could setup your restricted network to allow access to *.googleapis.com without hard-coding IP addresses. I don't know anything about your setup, but I've found that using an internal proxy is often the best bet when you want to allow/restrict access to a domain.
I'm currently revising for an exam and I'm stuck on a question which is:
"Explain the static and dynamic host configuration approaches."
I'm unsure if the answer is correct but what I've write is this:
static host configuration are hard-coded addresses that will only work on one specific network segment, which is intended for stationary computers
dynamic host configurations work best with portable computers like laptops that move between network segments.
that's my answer, could anyone help me to understand if this is correct or not?
You are correct about the difference. But there s a lot more than what you have stated.
DHC : Used to configure IP addresses automatically to the systems without any intervention of network administrator.
For Eg. When you register for a new internet connection, your ISP(network administrator, in this case) will provide you access to the DHCP server which ll allot you the IP address on the runtime.
To prevent the same IP address being assigned to two different computers
Also the main use is, ISP s will have a range of IP addresses with them. You ll be assigned any of their IPs dynamically by DHCP Server when your lease time expires for a particular IP that have been assigned earlier
SHC : Used to manually configure the IP addresses to systems.
When you knew how many systems are going to be present exactly inside the network
And when you want to uniquely identify a system in the ntwk using its IP address
For Eg. When you configure LAN in your house, between, say, around 4 computers. You will know exactly the number of systems in the group. So you don't have to allot a DHCP Server to allot the IP addresses for these 4 systems. YOu manually configure them
Hope that helps :)