What IP block lists is Jag using if any?

[thecoalman]

The reason I ask this is because I want to make sure I'm not allocating resources needlessly if Jag is already doing this. For example using APF you have an option to load this list:

The Spamhaus Project - DROP

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny subset of the SBL designed for use by firewalls and routing equipment.

The DROP list will not include any IP address space under the control of any legitimate network - even if being used by "the spammers from hell". DROP will only include netblocks allocated directly by an established Regional Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations illicitly taken from the original allocatee, that is, the troubling run of "hijacked" IP address blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.

When implemented at a network or ISP's 'core routers', DROP will help protect the network's users from spamming, scanning, harvesting, DNS-hijacking and DDoS attacks originating on rogue netblocks.

[JPC-Katrina]

The lists would be whatever is used by the CSF firewall. I believe it blocks traffic on the DShield Block List and the Spamhaus DROP List. Be sure to keep CSF updated.

[the_ancient]

The lists would be whatever is used by the CSF firewall. I believe it blocks traffic on the DShield Block List and the Spamhaus DROP List. Be sure to keep CSF updated.

I think he is asking about network level not Server level Blocks

CSF is the Firewall JPC uses on the cPanel Shared Servers correct? Sounds like thecoalman is using AFP instead of CSF

I could be wrong though and your talking about something else

[JPC-Katrina]

CSF is server level and we recommend using csf + lfd rather than apf. Nothing at network level.

[the_ancient]

CSF is server level and we recommend using csf + lfd rather than apf. Nothing at network level.

The problem is not all Control Panel Software support CSF, Interworx uses APF and APF Only, only cPanel, Direct Admin and Webmin support CSF

[JPC-Katrina]

APF also appears to use Dshield and Spamhaus. CSF is still recommended if it is available to use.

[thecoalman]

I think he is asking about network level not Server level Blocks

This is exactly what I'm asking, it's understandable they wouldn't be using many if any but if you take the list described above as far as I can tell no legitimate traffic would be coming from any of those IP's. The point of course is if Jag is using lists like this I have no reason to block them at the server level.

[thecoalman]

APF also appears to use Dshield and Spamhaus. CSF is still recommended if it is available to use.

There is three lists you can enable in the configuration. The one from Spamhaus is easily the largest and as already mentioned it blocks IP's that have been hijacked. The other two lists are most active IP's, one from dsshield and another from the Honey Pot Project.

# [Remote Rule Imports]
##
# Project Honey Pot is the first and only distributed system for identifying
# spammers and the spambots they use to scrape addresses from your website.
# This aggregate list combines Harvesters, Spammers and SMTP Dictionary attacks
# from the PHP IP Data at: Malicious IPs | By Last Bad Event | Project Honey Pot
DLIST_PHP="0"

DLIST_PHP_URL="rfxn.com/downloads/php_list"
DLIST_PHP_URL_PROT="http"

# The Spamhaus Don't Route Or Peer List (DROP) is an advisory "drop all
# traffic" list, consisting of stolen 'zombie' netblocks and netblocks
# controlled entirely by professional spammers. For more information please
# see The Spamhaus Project - DROP.
DLIST_SPAMHAUS="0"

DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso"
DLIST_SPAMHAUS_URL_PROT="http"

# DShield collects data about malicious activity from across the Internet.
# This data is cataloged, summarized and can be used to discover trends in
# activity, confirm widespread attacks, or assist in preparing better firewall
# rules. This is a list of top networks that have exhibited suspicious activity.
DLIST_DSHIELD="0"

DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt"
DLIST_DSHIELD_URL_PROT="http"

[thecoalman]

Nothing at network level.

Would it make sense to use the Spamhaus drop list at network level instead of having it be done at server level?

It's list of IP's that no legitimate traffic could come from.