Geolocation - Country: All TOR Exit Nodes as Country to block

Hi there,

last week we had about 90.000 blocked f2b SQLi events from 1000 unique IP Adresses, mostly from TOR Exit nodes. I collected a list of IPs/Hostnames and tried to import these to the FB Geolocation-Blocker. Is there a way to handle that as a "virtual country" block?

Examples:

-removed-

.. more

or from -removed-

Thanks
MA7C

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @MA7C

    I removed your IPs and links, as I don't want to encourage the search engines to index those and assocaite them with this site. My apologies.

    Since they share a host name, you're best bet is to likely add these as blocked sites using FQDN
    "*.example.com" for example.

    Geolocation just adds addresses to blocked sites en-masse behind the scenes, so you'd be doing the same thing, effectively.

    We won't add those types of addresses to geolocation because TOR by definition isn't a country. You may wish to look into application control, which has definitions to block some TOR activity.

    -James Carson
    WatchGuard Customer Support

  • edited June 2021

    You can also set up an Alias which can include IP addr, subnets & FQDNs and add a policy, such as an Any policy, to block these

  • Thanks James and Bruce,

    The TOR Nodes don't belong to a country, and bitcoin is not a currency. But both exist and have their functionality 😉

    @James_Carson: is the list definition only verifiable via category check? If i block the complete "Proxy Avoidance" Group, or only the subcategory "TOR" the category check [https://securityportal.watchguard.com/UrlCategory] only shows: "URL is categorized as Proxy Avoidance".

    @Bruce_Briggs: The file format "alias,123.123.123.123" as txt works fine, the alias import was working great. But actually i don't see a possibility to block the TOR-Exit-Node Alias (IP-list) other than in the tab "Blocked Sites Configuration" - is that correct? The blocked sites config does not work with aliases. I have two policies redirecting to an internal webserver.

    Thanks for both approaches.

    Marc

  • edited June 2021

    As I said above:
    "and add a policy, such as an Any policy, to block these"

    From: TOR-Exit-Node To: Any-external

  • edited June 2021

    Move this policy to the top of your policy list.
    Set it to Denied.
    You may wish to set Logging to not log the denies.

  • @Bruce_Briggs you might laugh, i tried that!

    I tried to activate an Alias consisting of 513 lines in a policy from TOR-Exit-Nodes to any with action denied. Our M370 did not save the settings! No joke. Firebox System Manager 12.6.4 cannot handle that.

  • edited June 2021

    I am not aware of a specific limit to the size of an Alias list.
    You could try adding one of 200 lines and see if that works.
    If so, then you could break up your list into 3 alias lists and use them on your policy.

  • Odd.. I need to look at some of my aliases, I seem to remember a couple of monsters approaching 400 lines..

    Adrian from Australia

Sign In to comment.