Rich Kulawiec on 17 Aug 2018 17:34:10 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban... |
On Fri, Aug 17, 2018 at 07:38:36PM -0400, Rachel plays Linux wrote: > Maintaining a home firewall and a commercial server are way different. At > work I can't simply ban by county, though I can block some entire ISPs. Then firewall by country by port. Is anyone from China going to ssh into your servers? If not, then block it. Do you need email from China? If not, then block it. And so on. This sort of thing is easy to manage if you script the build of your firewall rules with a tool like make(1). And yes, firewalling some entire ISPs is a very good idea. For example, block access to ssh from all of Digital Ocean's blocks. Same for AWS -- and firewall smtp as well. There are a lot of operations that are run by ignorant, negligent, incompetent people and there is no reason to extend access privileges to these -- and every reason not to. > At home I lock out damn near everything A better approach *is* to lock out everything and only permit what you absolutely need. (This often works in production environments as well; I'm fond of saying that the first rule in any firewall config should be: block all from any to any which bidirectionally blocks all traffic.) For example, I have a server that will only permit ssh from a /24, a /27, and a /32. Good luck finding a way to attack that service. ---rsk ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug