Creating rule to block full IP range

Comments

1 comment

  • Avatar
    Tom Cross

    Running on Win Server 2016 Essentials, I've had better success at blocking IPs in the Windows firewall. I use the IW Authentication log to view IPs trying to log into my IW server then use an IP location finder to locate selected IP. (You can also find IPs in the Anti-Spam logs) Then I start backtracking the address range back to x.0.0.0 and if they're all located in China or Iran (lots of attempted hacks lately), then I block the whole /8 range or some smaller CIDR range. Then I configure the firewall log to record only DROP. It's very gratifying to see all those IPs get dropped.

    As my server is running 25 users and an old dual-core Intel with 8gb RAM, I have to preserve every bit of performance I can. Biggest problem was the hammering of port 389 (used for reflective DDOS) and port 3389 (RDP). For the RDP block, I modified the existing rule to allow connection only from my WAN IP. They've since given up and now I'm blocking IPs that attempt to login to IW via port 25, 110 or 587 (FW drop logs show attempt port login).

    I've also added Anti-virus extension filters and populated it with the Google and MS blocked extensions:

    (https://support.google.com/chrome/a/answer/6177431?hl=en)

    (https://support.office.com/en-us/article/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519)

    Best of luck....Tom

    0
    Comment actions Permalink

Please sign in to leave a comment.