Imunify360 feature request - block requests by ASN (IP to ASN lookup?)
I was recently thinking about a security feature, like the current one where we can block IP addresses and ranges, and even countries from accessing our server IP and domains.
But, was wondering, can we block providers by their's AS number (ASN) maybe?
This could be good, for example, if we have "good traffic" from USA, but want to block all the IP addresses, or better to say, all the requests comming from the IP address(es) that belong to an specific AS number like DigitalOcean?
Meaning, we allow all USA traffic, but block all from DigitalOcean by entering their ASN number?
That feature would be great, if possible in any future.
If you are currently doing some hostname to IP resolving or I do not know, using MaxMind Geo database - which I saw in tutorial how to setup it - which obviously helps to block Countries, right?
I am not technicall expert, but maybe some way to integrate so we can enter the ASN and all the requests from it's IP addresses are being blocked.
- something in the backend like IP to ASN lookup
Regarding that, it would be great if possible, to either block a Web traffic, but even better to protect ports like SSH or FTP.
Or, even to protect POP/IMAP ports from spammers or tools like port scans trying to connect just like there is a stretchoid which we currently see in our logs trying to scan/brute force our e-mail server.
And yes, I did not consider the performance regarding the IP to ASN lookup, but ... if a client has got a dedicated server, I believe it can handle that.
That way, the Imunify360 Firewall would be much more improved, if so, I believe.
Thank you!
-
John O'Grady commented
@Dmitry Tkachuk, excellent point. However, I think the best approach is to empower user/admin with feedback and control so they can do what's best for their specific business case. The security rules seem too relaxed right now because of too many broad assumptions.
-
Tomislav commented
Just to add here, from the Cloudlinux helpdesk this request is (IFR-223).
-
Tomislav commented
Thank you for your comment.
I agree, but have to admit that for example Cloudflare service has got an option to block the whole ASN and it's working great.Well, we can spend and subscribe for only a month (and cancel either for refound or after a month) on any VPN service like ExpressVPN, NordVPN, etc.
Use their servers and gather IP address.
By it's IP, find out the ASN.
Add that ASN to the block list at Imunify360.
Having a good coverage to block VPNs by default that way.Having approx. 250 ASNs from hosting providers blocked at Cloudflare works great.
It would be great if we could have it, that way we could block requsts by ASN to protect our server ports or our server IP, and not only the web HTTP(S) traffic.
-
Dmitry Tkachuk commented
In most cases, ASNs are not threats by themselves. Attackers can use almost any ASN by using VPNs, proxies, hacked network devices, etc. In any case, malicious traffic would be only part of all traffic, and blocking all ASN can cause mass false positive issues. That might cause more problems than it can fix.