rejetto forum
Software => HFS ~ HTTP File Server => Topic started by: ALEX on October 03, 2023, 03:17:08 AM
-
Can I block an entire country so that this country does not have access to hfs ?
or allow one country and ban the rest
-
there's no such feature in HFS 2, but i don't exclude that one could script it.
for HFS 3, i don't plan to add it, but one day we may have a plugin for it.
-
there's no such feature in HFS 2, but i don't exclude that one could script it.
for HFS 3, i don't plan to add it, but one day we may have a plugin for it.
It’s just that every day they send me a DDoS attack, I set it to block agents, but all the same the requests will cause the server to freeze
because they do it from abroad,
so I wanted to know how to block by country
-
I Use HFS 3
-
i took note, but i won't make it soon.
if you know programming you can make it yourself
-
i took note, but i won't make it soon.
if you know programming you can make it yourself
No, i Can't
-
As Rejetto said, this is not implemented internally on HFS (for those who are expert on coding, something basic could be done using HFS's Macros, but it could make HFS slow, since we need to filter a lot of IP ranges for blocking an entirely country).
In your particular case, you have to use an external software. The most effective and easy to use solution, is using PeerBlock (https://www.peerblock.com/). Once you have installed PeerBlock, you have to use one list listed here (https://www.iblocklist.com/lists?category=country) (selecting the country you want to block). But keep in mind that PeerBlock (https://en.wikipedia.org/wiki/PeerBlock) works blocking connection system-wide (and you can't select only one software to block). So, it will block ALL connections you configure, for ALL the programs running on your Windows system (not only HFS). If you need to connect to some of the IPs you have blocked, you would need to temporary disable PeerBlock, or use another solution. As far I know, this is the only most easy solution.
» IMPORTANT: if you are targeted with DDoS attacks by someone expert, you could end blocking up almost the whole world (it could be like a witch-hunt (https://en.wikipedia.org/wiki/Witch-hunt#Figurative_use_of_the_term)), since the attacker could try to access your server from ANY other country using a VPN (or a proxy). Most of the time blocking an entirely country works, but sometimes it doesn't (and you will end blocking legitimate -good- users), so this is only an extreme measure. It's best NOT blocking an entirely country, but starting blocking ONLY the IP ranges of your attacker.
I hope it helps (please report back if that helped). :)
Cheers,
Leo.-
-
As Rejetto said, this is not implemented internally on HFS (for those who are expert on coding, something basic could be done using HFS's Macros, but it could make HFS slow, since we need to filter a lot of IP ranges for blocking an entirely country).
In your particular case, you have to use an external software. The most effective and easy to use solution, is using PeerBlock (https://www.peerblock.com/). Once you have installed PeerBlock, you have to use one list listed here (https://www.iblocklist.com/lists?category=country) (selecting the country you want to block). But keep in mind that PeerBlock (https://en.wikipedia.org/wiki/PeerBlock) works blocking connection system-wide (and you can't select only one software to block). So, it will block ALL connections you configure, for ALL the programs running on your Windows system (not only HFS). If you need to connect to some of the IPs you have blocked, you would need to temporary disable PeerBlock, or use another solution. As far I know, this is the only most easy solution.
» IMPORTANT: if you are targeted with DDoS attacks by someone expert, you could end blocking up almost the whole world (it could be like a witch-hunt (https://en.wikipedia.org/wiki/Witch-hunt#Figurative_use_of_the_term)), since the attacker could try to access your server from ANY other country using a VPN (or a proxy). Most of the time blocking an entirely country works, but sometimes it doesn't (and you will end blocking legitimate -good- users), so this is only an extreme measure. It's best NOT blocking an entirely country, but starting blocking ONLY the IP ranges of your attacker.
I hope it helps (please report back if that helped). :)
Cheers,
Leo.-
Thanks Leo
PeerBlock is only supported up to Windows 7
I have windows server 2019
I have another question: can I block an IP range in HFS?
and yes, if I block ranges, will requests still reach hfs?
-
PeerBlock is only supported up to Windows 7
I have windows server 2019
Have you tried PeerBlock on Windows Server 2019? (I've read reports that it works fine on Windows 10, so it should work). There is no better solution than PeerBlock for Windows.
I have another question: can I block an IP range in HFS?
and yes, if I block ranges, will requests still reach hfs?
Yes, as far I know, requests will still reach HFS (it don't prevent people from trying, and it could affect performance, the same as filtering by 'UserAgent', but you have to try it and see what happens). My previous comment could lead to confusion, so to make it clear: HFS v3 doesn't have 'IP filtering feature' (like Rejetto said), and HFS v2 doesn't have an option to block IP addresses by country, but it has 'IP Banning' and you can configure some 'IP ranges' to block (of course, expert users can also use a macro script to filter by IP range, but it's not needed, since it works the same as using the HFS's GUI).
You can configure this, by going to HFS's Menu > Limits > Bans... (it will open a window where you have to enter the IP ranges). Remember to check 'Disconnect with no reply'. Before doing this, please take a look HERE (https://www.rejetto.com/wiki/index.php/HFS:_IP_masks#IP_ranges) to know how to configure an IP range to be excluded (remember to put a backslash \ before the IP range). Please report back if that affects performance (compared to filtering by 'UserAgent').
-
Have you tried PeerBlock on Windows Server 2019? (I've read reports that it works fine on Windows 10, so it should work). There is no better solution than PeerBlock for Windows.
Yes, as far I know, requests will still reach HFS (it don't prevent people from trying, and it could affect performance, the same as filtering by 'UserAgent', but you have to try it and see what happens). My previous comment could lead to confusion, so to make it clear: HFS v3 doesn't have 'IP filtering feature' (like Rejetto said), and HFS v2 doesn't have an option to block IP addresses by country, but it has 'IP Banning' and you can configure some 'IP ranges' to block (of course, expert users can also use a macro script to filter by IP range, but it's not needed, since it works the same as using the HFS's GUI).
You can configure this, by going to HFS's Menu > Limits > Bans... (it will open a window where you have to enter the IP ranges). Remember to check 'Disconnect with no reply'. Before doing this, please take a look HERE (https://www.rejetto.com/wiki/index.php/HFS:_IP_masks#IP_ranges) to know how to configure an IP range to be excluded (remember to put a backslash \ before the IP range). Please report back if that affects performance (compared to filtering by 'UserAgent').
Thanks Leo
I configured both options, monitored them for several days, and the attacks became much smaller, but unfortunately peerblock greatly affects performance
-
Thanks Leo
I configured both options, monitored them for several days, and the attacks became much smaller, but unfortunately peerblock greatly affects performance
I guess you are running HFS on a VPS, where resources are shared and limited (I do understand). Have you tried using HFS's banning option ONLY, without PeerBlock? (instead of running both options). Perhaps you don't need PeerBlock, if you add (in HFS) the IP ranges that attack your website.
You can configure this, by going to HFS's Menu > Limits > Bans... (it will open a window where you have to enter the IP ranges). Remember to check 'Disconnect with no reply'. Before doing this, please take a look HERE (https://www.rejetto.com/wiki/index.php/HFS:_IP_masks#IP_ranges) to know how to configure an IP range to be excluded (remember to put a backslash \ before the IP range)..
Try using this ONLY (without PeerBlock).
-
yes, I use it on a vps, I'm afraid this option does not help because every time the ip address is updated.
But I'll try.
Thanks Leo
-
and I wanted to find out if I am blocking the ip address ranges correctly, for example 192.168.1.10-192.168.1.50?
-
and I wanted to find out if I am blocking the ip address ranges correctly, for example 192.168.1.10-192.168.1.50?
Yes, you are doing right. Use a semicolon ; to specify several IP ranges. To avoid any confusion (from my previous comments) if you put a backslash \ before the IP range, that IP range will be excluded from the 'IP Banning'. In the Wiki (https://www.rejetto.com/wiki/index.php/HFS:_IP_masks#IP_ranges) this is explained.
-
Thank you Leo.
I'll keep monitoring....
-
Still, attacks will slow down the performance of the system....
I would like to ask if you know a program or a method that blocks external ip addresses?
-
Still, attacks will slow down the performance of the system....
I would like to ask if you know a program or a method that blocks external ip addresses?
There is nothing I know, besides PeerBlock, to block incoming connections at country level (at least, as 'easy to use' like that program). Another option is installing a firewall, like TinyWall (https://tinywall.pados.hu/) (which is a free and lightweight firewall for Windows), but you can NOT install it when you are using a VPS, since you will end up blocking your own access to your VPS (I repeat: do not install it over a remote connection, as they state on their FAQ (https://tinywall.pados.hu/faq.php)), so, forget that option. Most of the time, a firewall cannot stop a DDoS Attack but mitigate the effects, since usually a DDoS attack will flood your network connection or exhaust hardware resources (as you can read here (https://www.quora.com/Can-a-firewall-stop-a-DDoS-attack)) (https://web.archive.org/web/20231029075618/https://www.quora.com/Can-a-firewall-stop-a-DDoS-attack). But keep in mind that ANY software you install on your VPS, no matter how lightweight it is, it will have some kind of impact on the performance of the system.
If you were not using a VPS (if this were your local computer), I would recommend filtering those connections using a firewall at router level. Since most home routers don't offer that feature, in that case you would need to buy a router compatible with OpenWRT (https://openwrt.org/toh/recommended_routers). (https://en.wikipedia.org/wiki/OpenWrt) Then you would need to configure OpenWRT's firewall (https://openwrt.org/docs/guide-user/firewall/overview). But since you use a VPS, your last resort would be commenting your problem with your VPN's support team (perhaps they could block those IPs for you).
I don't know how they do that 'DDoS attack' to your HFS website, if it's by accessing your direct IP or your Hostname, but if it's by your Hostname, then you could configure Cloudflare (https://resources.infosecinstitute.com/topics/application-security/top-10-solutions-protect-ddos-attacks-increase-security/) as a 'protection layer' between your server and the end user (and you should block direct access to your IP).
Another simpler option: change your VPS to another "DDoS Protected VPS" (so you don't have to worry about this), like: BuyVM (https://buyvm.net/ddos-protection/), Cloudzy (https://cloudzy.com/ddos-protected-vps/), Alexhost (https://alexhost.com/vps/ddos-protected-vps/), BlueVPS (https://bluevps.com/vps-ddos), JavaPipe (https://javapipe.com/ddos-protected-vps/), UltaHost (https://ultahost.com/ddos-protected-vps), DDoS-Guard (https://ddos-guard.net/en/store/vds), etc. (I've found them doing a simple Google Search (https://www.google.com/search?q=%22DDoS%22+protection+for+Windows+%22VPS%22&hl=en-US)).
I've run out of ideas... :-[
I truly don't know other way to help you, sorry... :(
-
and I wanted to find out if I am blocking the ip address ranges correctly, for example 192.168.1.10-192.168.1.50?
yes, this syntax for ranges is supported since version 0.48
i'm going to update the documentation about this
-
Still, attacks will slow down the performance of the system....
it is possible that most of these attacks get to you by scanning IPs, and don't know your domain.
You can block all requests that come without knowing your domain.
The easiest way is by using the vhosting plugin. Enter your domain with root "/", and enable "Block requests that are not using any of the domains above".
Let me know how it goes
-
I Use HFS 3
Sorry, my bad, now I realize that you use HFS v3 (I thought you were using HFS v2). All my comments apply only to version HFS v2.x, not HFS v3. Ignore my comments then, and follow what Rejetto says. :)
-
The only way I know how to do geo ip blocking is to run a separate firewall instance.
tiny wall. to lock down your windows for only 1 application if need be
peerblocker with geo ip list
Otherwise, run dockers like piehole
my current home network now consist of firewalla. Firewall uses firebase and other software to accomplish geo ip blocking.
What i'm getting at is networking outside hfs as a web server will require hardware and other software, not something build into hfs.
HFS has a ip range and single ip block feature. Manually add theses.
Current free ish system atm is rdpguard...
https://rdpguard.com/geoip-blocking.aspx#:~:text=The%20Geo%2DIP%20Blocking%20feature,update%20the%20blocking%20rules%20accordingly.
Networking and cyber security of your systems is on you.
-
guys, initial I had planned to work on this after official release of HFS 3, but i opted to have something special to celebrate next release 0.50, nearing the 2 years anniversary (december 8 ).
hopefully... work in progress
(https://github.com/rejetto/hfs/assets/1367199/5cdb51b9-cdfd-4945-a157-57e075a35c10)
-
we are waiting for this release
guys, initial I had planned to work on this after official release of HFS 3, but i opted to have something special to celebrate next release 0.50, nearing the 2 years anniversary (december 8 ).
hopefully... work in progress
(https://github.com/rejetto/hfs/assets/1367199/5cdb51b9-cdfd-4945-a157-57e075a35c10)
-
consider helping with testing. You can enable Admin > Options > Update to beta
https://github.com/rejetto/hfs/releases/tag/v0.50.0-alpha2
-
consider helping with testing. You can enable Admin > Options > Update to beta
https://github.com/rejetto/hfs/releases/tag/v0.50.0-alpha2
This release will be very powerful.
How can I add a script in this version?
using plugins...
-
yes, plugins, but if you don't intend to distribut your scripts/changes, you can just use "custom html" and "server code".
It depends on what you want to do....
-
yes, plugins, but if you don't intend to distribut your scripts/changes, you can just use "custom html" and "server code".
It depends on what you want to do....
I would like to configure the program so that one specific agent can download
-
I would like to configure the program so that one specific agent can download
this is the server code:
exports.middleware = ctx => ctx.get('user-agent') === 'YOUR_AGENT' || ctx.socket.destroy()
this code check for exact text. Otherwise you can use, for example, ctx.get('user-agent').startsWith('YOUR_AGENT')
be careful, because this code can stop you from using your browser, and to recover you will have to edit file "config.yaml" with an editor
https://github.com/rejetto/hfs/wiki/Middlewares