Is This Like Fail2Ban?
We're asked by many sysadmins, "wait, isn't this just Fail2Ban with extra steps"?
No. Hacker Blocker is entirely different from Fail2Ban; it is an organically-curated list of known attacker IPs. These aren't grandma's laptop being hijacked - these are servers that have been compromised for years, and continue to attack millions of business and government servers every day. We recommend you run Hacker Blocker as well as Fail2Ban, not instead of. In this case, Hacker Blocker protects you against known hackers and Fail2Ban protects against new compromised IPs.
Wait, but IP's shift hands all the time! How do you keep up?
Most IPs in the blocklist are fixed IPs and CIDRs that are compromised servers. This includes commercial hosting companies that attack nearly everything else on the Internet for months or years at a time. Residential IPs are almost never blocked because they rarely meet the history criteria, and IPs within the USA have even stricter block criteria. Google, Amazon, Facebook and other user-facing systems are a hotbed for hacker activity, and are also blocked for attacks. We never block college IPs.
To keep up, every few weeks, IPs are consolidated by an Internet Security Expert by attack type and IP Address. Similar IPs verified as attackers are grouped by CIDR and blocked. Most blocked CIDRs are small, between 256-1024 IPs, but some large CIDRs are blocked when a substantial percentage of them are deemed attackers. This allows us to keep ahead of hackers that are burning IPs down a line through Amazon or DigitalOcean servers.
I installed Hacker Blocker and now can't see my website, services, & cat pictures! What do I do?!
If you think Hacker Blocker is affecting a service you are trying to connect to, contact us to get the offending IP/CIDR whitelisted. That being said, we've been running Hacker Blocker on our personal PCs and company servers for years and haven't had a single issue. With the sheer number of IP addresses it's laughably unlikely it'll affect anything you connect to.
We'll be happy to figure out if any of your IPs are in our list. If they are, we'll gladly help you figure out how to stop your server from attacking things. If they're not, we'll be happy to explain that to our client in common. It's probably DNS.
Does Hacker Blocker work for my network appliance?
Not natively (yet). However, the blocklist can be either exported from Windows Firewall through PowerShell or downloaded every 15 minutes from our .deny file.
How do you create an organically-curated hacker blocklist?
With human eyeballs and intelligence. Every IP and CIDR entered into the blocklist is vetted by an Internet Security Expert that verifies the attacker IP meets certain criteria; a history of attacks, the same detected attack type being in the IP's history, the country of origin, etc. Once the IP is verified to be an attacker, it is added.