Skip to main content

Block host/domain, flooding from clients.your-server.de

lordcatalien
I'm getting a bunch of new accounts on my web site all coming from various IPs, but they all seem to be from the host: static.[backwards ip].clients.your-server.de: ``` IP: 5.161.116.121, Host: static.121.116.161.5.clients.your-server.de IP: 5.161.134.81, Host: static.81.134.161.5.clients.your-server.de IP: 5.161.115.177, Host: static.177.115.161.5.clients.your-server.de IP: 5.161.101.189, Host: static.189.101.161.5.clients.your-server.de IP: 5.161.111.82, Host: static.82.111.161.5.clients.your-server.de IP: 162.55.8.158, Host: static.158.8.55.162.clients.your-server.de P: 157.90.216.113, Host: static.113.216.90.157.clients.your-server.de ``` It seems they own a bunch of different IP addresses, but they all are using the host ending with "your-server.de". Is there a way for me to easily block all access to my server through CPanel for anyone with this host?

Comments

8 comments

Date Votes
  • cPRex Jurassic Moderator
    Hey there! That's just the reverse DNS address for the IP, and likely not something it would be helpful to block. You might be better served using a tool like CSF (ConfigServer Services) and setting up country code blocking to block Germany, assuming you don't have any clients coming from that area.
    0
  • lordcatalien
    Thanks for your reply. I *do* have customers and clients all over the world, so I was hoping for a better solution. Perhaps there's a way to find all the IPs that your-server.de leases and block them for the time-being? It may be a temporary solution if they change IPs, but hoping for something that's effective in the short-term.
    0
  • cPRex Jurassic Moderator
    I'm not sure if there's going to be a great way to get an accurate list. Maybe the "host" command like this: # host cpanel.net cpanel.net has address 208.74.123.84 cpanel.net has address 208.74.121.151
    or just blocking the ones that you already see in full in the logs.
    0
  • lordcatalien
    ~ % host your-server.de your-server.de has address 85.10.215.232
    Think you're probably right. I'm only seeing one show in the host command.
    0
  • ejsolutions
    I passed on info, in another thread, on how to leverage CSF to block by ASN, amongst other lists. ^ The reverse ASN lookup for the IP that I tried doesn't appear to correlate.. trying a few more to see what ASN comes back. You may be more successful in getting a list for that hacker service provider. Looks like they may be a user/reseller of Hetzner, which doesn't surprise me in the slightest!
    0
  • lordcatalien
    Wow, that's definitely going to be helpful. I guess, when I have a moment, I should try doing the reverse ASN lookups on all the IPs to see which correlate. This may take a while. Or, perhaps, I can block them all and if I get support tickets, go back through and whitelist the ones they mention. Either way, thank you for your time and guidance.
    0
  • ejsolutions
    Note that further down that referenced thread (post #8), you may spot that I've blocked at least some of Hetzner, in the past. ;) Like a few other hosting providers, it's about time they cleaned up their act, especially as some explicitly disapprove of port scanning, if not blatant login spamming, in their ToS.
    0
  • lordcatalien
    Oh, I definitely saw that and you can be sure I grabbed that list of IPs. Thanks for that!
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post