Would it be wise to block the IP addresses on the firewall

Hi Experts, I noticed this on my firewall logs. I have done virus scan, but would it be wise to also block those IP addresses (Top Attack Source) on my firewall?

Snowbella KilangitAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you don't require anything from those IPs (emails, etc.) I don't see any reason why not.  That's why firewall allows blacklisting as well as whitelisting.  It's safe to block them all.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
It depends on the firewall. I have a Cisco RV325 firewall. I have Firewall enabled and then SPI, DOS and Block WAN request all enabled. I do not set individual IP address and the main settings seem to work. I have similar settings in Juniper Netscreen boxes at clients.

This is how I approach blocking.
Snowbella KilangitAuthor Commented:
Thank you Wayne88. I note your advise.

John, I have Fortigate. Can you make it a little simpler for me, I am new to this
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

JohnBusiness Consultant (Owner)Commented:
Look in the Fortigate firewall settings. The settings page should have settings similar to what I described - most do.
Hi Snowbella, those settings are standard settings and yes it's assumed that you would already block WAN request, DOS, etc.

As a good practice, you should block all ports and services that you don't need or use on the firewall.  You want to keep minimum amount of ports open.

Let's be sure and be more specific.  Does your firewall log state what those 3 IPs are trying to do and what protocol are they using and I assume your firewall if effectively blocking them?

The problem with blocking the 3 IPs manually is that a week or month from now your firewall will report 3 different IPs as the top 3 attack sources.  In other words, it will never end.  My advise is that if the firewall is properly configured then you probably have nothing to worry about and yes .. block all the ports and services you don't need.
JohnBusiness Consultant (Owner)Commented:
One port to block (assuming Exchange) is port 25 to prevent compromised computers from spamming.

The problem with blocking the 3 IPs manually is that ... it will never end. <-- Exactly - which is why I do not do this.
Well no, that's almost like saying to never ever use blacklisting or whitelisting.  You should use it with discretion but not for every IP addresses that showed up as the top 3 attack sources.

If the firewall is properly configured and all the basic things are covered as you mentioned then there is something else taking place coming from these IPs.  If so, then it's probably worth investigating and after all else if time after time again these 3 IPs are still in the top attacker list then by all means blacklist them. You can't be "too safe".

If for example, it's found that the top attackers are just doing WAN request then it's safe to ignore them and not even worth blacklisting.  This is why the log must be checked to see what those assumed attackers are trying to do before jumping into conclusions.  But in short to the original question if it's safe to blacklist the 3 IPs then yes it is if it's not needed.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.