Why I discontinued the Exploited Servers Blocklists
May 6, 2018
On May 2, 2018, after receiving two requests for removal of legitimate IP addresses, I began removing all IP addresses and CIDRs from my exploited servers iptables blocklist. This was soon followed by removal of the same addresses from the .htaccess formatted blocklists. Apparently, some folks are upset by this decision.
Some people who were using this blocklist have asked me to explain why I chose to delete the blocklist rather than continue to edit it. This blog article will explain my reasons for discontinuing the Exploited Servers Blocklist, in all three formats in which is had been published. However, it was trouble arising from the iptables version that convinced me that its time had finally come.
A "blocklist" in this discussion means a text based list/sequence of IP addresses and CIDRs that are effectively blocked or denied access to a web, ftp, or email server. An IP address is a group of numbers separated by periods that are assigned to any entity that is on the Internet, or local or wide area network.
It all started a long time ago when I became a moderator in a forum that had buy and sell sections for pedal steel guitars and amplifiers, etc. Shortly after taking over the role of Moderator of the Computers section of that forum, I became aware of the fact that members selling items were being scammed by Nigerian fraudsters. Being a Webmaster myself, I felt that I might be able to do something about that. This led to the creation of the Nigerian Blocklist!
If you want to skip the TL:DR background details you can jump to the meat of the matter now.
I began compiling my various blocklists in the mid 2000s when Nigerian 419 (advance fee fraud, kited check fraud) scammers began harassing members of the Steel Guitar Network forum of which I was a member. Through personal research and forwarded emails, I began discovering the originating IP addresses of the fraudsters located in and around Nigeria. I then ran WHOIS look-ups on each IP address to see what the CIDR was that encompassed each one. Then I compiled the CIDRs in a numeric sequence that was preceded by the words "deny from" - for inclusion in the forum's master .htaccess file. Any visitor/scammer who had an IP address that was covered by one of the CIDR groups in that blocklist were unable to see any posts, join, or send messages to anybody on that forum. Mission accomplished!
After seeing the success that the Steel Guitar Forum had from using my Nigerian Blocklist, I made it available publicly on my server.
After creating the Nigerian Blocklist (in .htaccess format only) I decided to start working on blocking other unwanted sources of traffic that were probing and attacking my own websites. The first of these was called the Russian and Exploited Servers Blocklist. I had to read my raw access logs multiple times every day to find vulnerability probes and exploit attempts, as well as spamming attempts on my contact forms and blog. Each time I found an unfriendly IP address I ran a WHOIS look-up to gather its CIDR and added it to the blocklist. Eventually, the Russian and former Soviet Union portion grew so large that I separated it from the Exploited Servers list and formed two separate blocklists: The Russian Blocklist and the Exploited Servers Blocklist (deprecated).
Later on I developed the Chinese Blocklist, then the LACNIC Blocklist (Latin America). I don't put much effort into the LACNIC Blocklist any more, but the Chinese list keeps on growing. You can find links to all of my active .htaccess blocklists here, along with detailed instructions for their use.
It was around 2009, or so, when somebody sent me a message asking if I could create a version of the blocklists that could be incorporated into a Linux firewall, to protect an entire web and email server from unwanted traffic. I had never done this before as I was and still am hosted on a shared server with no access to the operating system. So, I studied up on how the APF firewall was configured and came up with equivalent iptables blocklists.
Each time I discovered hostile IP addresses and their CIDR ranges, I added them to the appropriate blocklist. At first there were just two versions of the blocklists: .htaccess and iptables. A few years ago I was asked to create a new version of the .htaccess blocklists that worked with the then new Apache version 2.4. This newer version of the Apache web server used different "directives" than its predecessors (v 2.2.3 and under). So, I now had to manually update 3 blocklist files every time a CIDR was added to any particular blocklist.
In most cases, the folks using my .htaccess blocklists are doing so on their own websites only. Maybe they also apply them to their clients' websites too. But, basically, the changes in blocked addresses is localized to a very few domains. Rarely are .htaccess blocklists applied to the server's root .htaccess file because the server would have to be restarted to apply the changes. Also, the .htaccess file is checked each time a new page is requested, so having a large IP blocklist in the master .htaccess would slow down every hosting account on that server.
On the other hand, when changes are made to the iptables versions of my blocklists, they are applied to the software or hardware firewall, which is restarted separately from the web server. Once a CIDR or individual IP address is blocked in the firewall, it affects the entire server structure behind the firewall. In many instances this includes email servers. An erroneous entry in the firewall's iptables blocklist could block web, ftp and email services to innocent customers.
The meat of the matter.
Over the years, the IP addresses assigned to the former Soviet Union countries and China/Asia have remained stable. But, those that were listed in the Exploited Servers Blocklist were not stable. Bad IPs that used to be used in attacks on other servers got reassigned to friendly folks. Entire CIDRs got sold or traded to other hosting providers. Bad actors sometimes grew wary of enforcement orders and take-down notices, or blacklisting, and sold their assets to legitimate concerns. Entire server farms sometimes went from hostile to friendly in a short time.
As these changes of behavior and ownership became more commonplace, requests for removal of IP addresses from the Exploited Servers Blocklist came more frequently. Legitimate customers were having their services and access blocked through no fault of their own. Thus, I came to the conclusion that since I'm not up to the task of policing the Exploited Servers Blocklists any more, they had to go!
I have placed but one IP address in the current iptables version of the Exploited Servers Blocklist: 127.0.0.1, which is the loopback IP of anybody's local machine. All of the other actual IPs and CIDRs have been removed. All three versions of that blocklist have firm notices that the blocklist has been discontinued. As the persons responsible for using the blocklists notice this change, they will begin removing it from their firewall rules.
I don't have any personal involvement in placing the iptables blocklists into any firewalls. All I have done and continue to do is publish them freely for anybody to use or not use as they see fit. Most of the time there are scripts being run that scan my iptables blocklists for changes. I am guessing that they are applying the fresh copy every time they detect a change in the file size.
Aside from a handful of donations over the years (THANK YOU to all who have donated!), I've basically made nothing for my efforts in maintaining these blocklists. I have a regular day job in a business that is not related to computer work at all and have less and less free time to put into reading my access logs and email headers, parsing originating IP addresses and running WHOIS look-ups on them.
Bottom line:
If you are one of the people or organizations who has been importing my Exploited Servers Iptables Blocklist into your firewalls, delete it as soon as possible from your iptables rules. It cannot be trusted any longer. Tell your Wget/csf/curl scripts to stop getting and parsing that file.
I am now protected by Cloudflare, a content delivery and DDoS protection service, and have the use of their very robust firewall. Anybody can place their websites behind Cloudflare for free, or on a paid basis. The paid plans offer much better protection. The free service offers up to 200 IP/CIDR entries into the firewall and can block entire countries by challenging every attempt to connect from them. Almost no actual person answers those JavaScript challenges, unless they have legitimate reasons for doing so. Absolutely no automated scripts respond to the challenges, so exploit attacks and probes are way down in my access logs.
Because Cloudflare hides the originating IP addresses of all traffic and substitutes one of their own IPs, reading one's raw access logs is no longer useful for obtaining IP addresses to add to blocklists. In order to check for new hostile IP addresses I have to disable Cloudflare on my main website for an extended period of time (to let actual originating IPs get through the Internet after leaving Cloudflare's service), then read my access logs. This is time consuming, unnecessary work for which I receive no compensation. That is why you are seeing fewer updates to all of my remaining blocklists. About the only regular way I now obtain new IP addresses to block is from the occasional spam email that makes it through my extensive anti-spam filters on my mail servers and MailWasher Pro desktop spam filter.
If you are reading this TL:DR article because you are having problems of being blocked from certain websites, or email services, contact their admins and ask if they are using Wizcrafts Exploited Servers Iptables Blocklist. If they are, tell them that this blocklist has been done away with entirely and to remove all of the IP addresses that they got from that blocklist from their firewalls. You can refer them to read this article for confirmation.
PS: If you run your own website in a shared hosting server and still want the last version of the Exploited Servers Blocklist, in .htaccess format only, contact me and I will arrange to email a copy to you (no more online link).
I am certain that the Internet can get along with or without me and my blocklists. Live long and prosper!
Wiz is 10-7 for now
