This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mass Exodus of Sites to Bulgaria or Incorrect Country Blocking?

https://www.tahoebiltmore.com/

https://www.bercoredwood.com/

http://www.wiresharktraining.com/

 

Anyone else experiencing this? What service does Sophos use to map IP addr to country?



This thread was automatically locked due to age.
  • All 3 sites using the content delivery system  siteground.com (traceroute the name).

    Possible this provider/hoster now use bulgaria too.

     

    "Geolocation can locate only IP addresses that have location information in the MaxMind databases. For more information on these databases, visit www.maxmind.com. "

    community.sophos.com/.../132541


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • I cannot say this is the case for you, but I had sites getting blocked by country blocking because they had a quick redirect in them.  The site was US, but got redirected to a analytics site in south america for a second so the country blocking kicked in and stopped it.  I have actually changed some of my stance on country blocking in the last six months as well.  I have From blocked everywhere, but TO I allow to many countries because of this or Microsoft or AWS data centers being all around the world.  I still block many 3rd world ones and China and Russia, etc. etc. etc. nothing personal, I just turned them on and watched the logs on and off for a day or two and did not see any so why not.

    Respectfully, 

     

    Badrobot

     

  • In general, I don't recommend blocking "To" or "All."  "From" is the place to start.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    In general, I don't recommend blocking "To" or "All."  "From" is the place to start.

     

    As a 20+ year security guy, I one billion percent disagree with this statement. It violates the best practice principle of least privilege and is a great way to permit remote command and controller after a successful phishing attack. Practically speaking, unless you are doing business with another country, there is seldom a reason to permit inbound or outbound traffic from/to that country. I myself was surprised that the majority of usual web use never leaves the US.

     

    'All' is the place to start, change to 'From' if necessary.

  • I do agree with principal of the least privilege and myself did start with blocking ALL for To and From, making exceptions along the way if I deemed it business necessary.

    However as I said above my stance has changed somewhat, before 6 months ago I just believed there was no reason for us to even have traffic outside the US unless we specifically had a customer need.  But things they are a changing.

     

    My issue is Microsoft or AWS or other hosted analytic site, etc. etc. keep using servers outside the US causing applications to not update, I have tried to keep up on IP CIDR's for some like Microsoft but I feel like it is never ending, sure the things like Windows Updates work but Office 365 seems to have issues.  What really gets me is a business partner or customer who has their website hosted in the US, but the hosting company is using a analytical company located physically in the US but has their servers around the world, then the redirects fail to load the full page or even the page.

    A good example of this was last week, I was out for the day and someone had their Office 365 just break, there are a couple people on site that have enough privileges to run a Office 365 repair, this got hung up, ran for around 3 hours and nothing, finally they gave up restarted and uninstalled all of it.  They went to download Office 365 again and it just hangs there, eventually I just drive in and look, here the installer was being country blocked by the firewall, there was no choice on where to get the installer from, we are a US based company but Microsoft shot us across the globe.  I should also note that I have made exceptions for this occurrence on 3 occasions now as well and the IP range keeps changing.  

    Any hoot, got a few years security experience myself figured I would throw in my two cents lol.

    Respectfully, 

     

    Badrobot

     

  • Good discussion guys!  You should definitely get to the tightest possible security, but the question is where you start...

    In a tiny company, you probably can start with "All."  In a larger company where they already have a spreadsheet that describes which countries should not be blocked "From," you can use that to configure Country blocking.

    In a company of any size, if you start with "All" everywhere outside of your country, you will have so many emergencies that the customer will turn off the UTM and go back to their old solution.  This will probably be in the trial period, so you'll probably have to take the UTM back to your office and have accounting issue a refund.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA