It is a well known joke around the IT sphere that if you have a public web server, you're going to have one Chinese IP in your logs on a daily basis. And that exists for a reason.
Now my history of dealing with such cases is huge.
It all starts in 2010 when I was working for a local IT company and we were employing a centralized server IT architecture in a local business and we were training the staff on how to use the resources. I noticed when I was going through some access logs, that a lot of failed attempts are flooding in, so I decided to look into that. What'd you know, it's all Chinese IP's. Me, being relatively new to this, thought it was a coincidence, blacklisted them and thought that would solve the issue, since it was seemingly only 4-5 IP's recurring daily.
Little did I know, it was much worse.
Since then, I have not checked in whether Chinese IP's are still attempting to gain unauthorized access to that business, but I would expect that it would be the case. In the 8 years that have passed since, their methods have not changed all that much and companies and governments are taking no action against this, leaving most people to fend the Chinese on their own.
All of this got me thinking: "How can I repel Chinese attackers?"
The answer came shortly. I just needed to block China's IP ranges. I developed a PowerShell script that blocks inbound requests (but not outbound, so you sould still contact them, but they would not be able to contact you) of all known Chinese ranges using Windows Firewall on Windows clients. Shortly after, I noticed a huge decrease of attempted attacks, but I could still see a pattern coming from African and Middle Eastern nations, albeit with a far smaller frequency. Seeing as, on general, none of the places I have implemented this script were interacting with these countries, it made sense to add them to the list. Since most of the systems I was responsible for were Windows ones, I've only written a Windows compatible blocker, although I am working on a GNU/Linux one.
You can download the script here: list-blocker
The archive has to be extracted with 7-Zip. The .ps file needs to be run as Administrator. It takes less than a minute to apply the rules. You are encouraged to review the simple code yourself, especially if you do not trust me.
In general, I cannot begin to express how annoyed I am at their carelessness when it comes to security exploits. I mean, I understand that their goal is to break into as much systems as possible, but if I were doing this, I would have some sort of attack control where if some target failed, I wouldn't try it immediately again on the next day. It just feels like a massive waste of resources.
