Is it worth blocking hackers' IP addresses?

Depends, again.

If you block the IP, it's not hard to just change the IP.

If you block the range, you get a lot of collateral damage from people who can't get in but were innocent. Doesn't stop a lot of people from still blocking country ranges of IP.

If you have a select number of clients that are getting access to the site in question...it's a semi-private database, for subscribers only, etc...you can just block access to all but accepted whitelists to that portion of the site only.

Otherwise you would need to keep updated, updated, updated, and periodically have your code audited by outside contractors for injection attacks and other hazards, and probably have something like Tripwire installed on the server to watch for suspicious changes and alterations on the server (and keep good offline backups. More than a few sites have had "live" backups that suddenly get hacked or erased once entry has been gained to the network).

In my experience blocking specific sites and hack attempts is messy and doesn't necessarily stop the problem. If it's a repeated hit over and over you could look at a solution that sees problematic slamming of your site and have it automatically blocked for a period of time (kind of like denyhosts for SSH) so it's kind of a transient, "enough already" blocks that don't clutter your system forever. It's just too easy for scripted attacks to hit from the left one day then appear on the right the next, and you'll end up running in circles chasing your tail trying to stop these idiots.

Make sure your server is secured off your LAN, segmented to prevent a hack on that system from contaminating the rest of your network. Audit it. Watch the logs for suspicious activity. Block only really problematic IPs (like denial of service attacks) at the router. Otherwise...my vote is that it's a hassle to stop them unless you have some automated way to track it and a way to automatically remove it after a period of time.


If it appears not to be bot, you could take advantage of this. You could set up another server with dummy data, redirect to that based on the source IP, and watch them hack it. Companies pay for penetration testing, as Bart said with "Code Audits". So if the hacker manage to get through, you can submit that to the developers, and you just got free work from the hacker :-)

Never done this myself, but if you have the time / resources, might be fun...


I wouldn't block the IPs manually. I might however, set up a fail2ban script to programatically block user's IPs for a short amount of time, based on the apache logs (I'm assuming you're using linux. Substitute your OS, and script of choice). It's not perfect security. It just makes life a tiny bit harder for the bad guys, at little cost to yourself.

Tags:

Security