Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you all blacklist IPs? I have 50K+

Currently have blacklisted 50,000+ IP address in my Sophos XG210. I am running 16.05.XX. I started this in March and was blacklisting approx. 15K a month until August when I got busy. I am about to add 30+ more IP address and I want to get the opinion of other Sophos users first.

The IP addresses I am blacklisting are IP addresses that are trying to hit the login page of my WordPress site. I pull the IP address from the Sophos reports that try and request:

"/wp-login.php".

 

I have 50+ IP Lists in the Sophos with exactly 1,000 IP addresses in them. So far I have not seen a performance degradation. In order to blacklist these, I have a "DNAT/Full NAT/Load Balancing" rule that is set to Source Zone=WAN, Allowed Network Clients=All of the IP address list objects, forwarded to a fake IP range I made up and a Fake zone. The rule is at the top. So they are just dropped before they go anywhere else.

 

I just created a ticket with Sophos, asking them what is the limit on IP addresses in a single list and what is the limit to number of objects the Sophos can handle, however I don't see them answer quickly nor do I see them answering with due diligence and actually giving me the answers I want.

 

Any thoughts?

 



This thread was automatically locked due to age.
Parents
  • Hi,

    we need more details.

    Is your worpress site advertised on the www? If so where do expect your clients to originate from?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi,

    we need more details.

    Is your worpress site advertised on the www? If so where do expect your clients to originate from?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Without giving too much details:

    -It is advertised, but not heavily, but our customers mainly know about it.

    -I expect my clients to originate from USA 99.9% of the time, arguably 100%.

    However customers/clients may need to sign in from foreign countries so I can't exactly geo-block.

    Also there are a lot of USA IPs trying to hit my WP login page so geo-blocking wouldn't get rid of all malicious activity

    -Anyone trying to get to the WP login is not acting in good nature so I don't mind blocking them entirely from our network