truthCoder:


You are very right.

If the blacklist should grow to a huge size, then i don get serious timeout problem be that.

I created a blacklist so that i can harvest any potential rouge IP for later analysis and inspection. The blacklist would serve as a log of all rouge IPs, if any that exists.

This would allow me know if any attempt is being made against the server and by which IP.

However, i am not expecting the blacklist to grow. A length of 0 is hoped for. If i have 200,000 blacklisted IPs, then blacklist size is no longer my main problem.

Instant checks of the blacklist (i get an email any time an entry is made into the blacklist) would hopefully assist to catch this at the budding state.

maybe you equally consider IP blocks / ranges so you don't just block a single IP but their range

bassdow:

maybe you equally consider IP blocks / ranges so you don't just block a single IP but their range

That's is not a good thing to do as I have had hackers using ip addresses from big ISP's to try and hack my application, so if you block by range you'l be blocking genuine visitors. Best he can do is report the ip address to their ISP from this address: https://www.whatismyip.com/ip-whois-lookup from this link you can find the hacker's ISP contact information and you can report the IP address of the hacker to their ISP.

CodingSoft:


That's is not a good thing to do as I have had hackers using ip addresses from big ISP's to try and hack my application, so if you block by range you'l be blocking genuine visitors. Best he can do is report the ip address to their ISP from this address: https://www.whatismyip.com/ip-whois-lookup from this link you can find the hacker's ISP contact information and you can report the IP address of the hacker to their ISP.

of course he shouldn't just blindly do that.
Blocking by IP is never reliable enough, which is why I don't blackList, just temporary block, and when I see 90% are from a range, I (temporary) block that range, Moreover, If you got to that stage, then you really have the resources because there would have been other limits you got past. Reason I don't blackList is anyone could acquire said IP later on. Not to talk blacklists gets heavy sooner or later.

About contacting ISP , some condone such or have high tolerance (especially if you're your own Monkey ISP). Also there are those who use rolling IPs, proxies, open relays, compromised hosts, etc. Moreover how many IPs you wan report sef, and who got such time.

But then, rarely do we need to block IPs because you get stopped before you make it far enough.

bassdow:


of course he shouldn't just blindly do that.
Blocking by IP is never reliable enough, which is why I don't blackList, just temporary block, and when I see 90% are from a range, I (temporary) block that range, Moreover, If you got to that stage, then you really have the resources because there would have been other limits you got past. Reason I don't blackList is anyone could acquire said IP later on. Not to talk blacklists gets heavy sooner or later.

About contacting ISP , some condone such or have high tolerance (especially if you're your own Monkey ISP). Also there are those who use rolling IPs, proxies, open relays, compromised hosts, etc. Moreover how many IPs you wan report sef, and who got such time.

But then, rarely do we need to block IPs because you get stopped before you make it far enough.

If it's a one off hacking attempt then reporting to the ISP is fine, but if there are many hacking attempts from different IP addresses then reporting to their ISP will be too much trouble. That's true as compromised hosts will not be the hacker's IP address.

What I ended up doing was to only allow IP addresses from the countries I want my users and visitors from, which included checking for IP addresses from a proxy server and if the IP address is not from the countries I want I just redirect it to a fake url that does not work, this completely stopped the hackers from trying to hack my web application. But if the OP wants his server open to the whole world then he will need to improve his server security as well as using services like Cloudflare.