Fred Stluka on 24 Aug 2018 15:38:11 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban... |
Rich,
For example, block access to ssh from all of Digital Ocean's blocks. Same for AWS
Please don't encourage people to block all access from AWS servers. My servers and those of almost all of my clients are hosted on AWS. So is the CIA, and other major parts of the US Govt. Also, major companies like Netflix, Adobe, GE, Kelloggs, BMW, etc. If you're going to ding AWS for having some ignorant, negligent, incompetent users, you may as well ding all Windows users, and many Linux users also. What large segment of the world is trustworthy enough to allow in? That's why I prefer fail2ban. 3 strikes and you're out, but until then, you're presumed innocent. --Fred ------------------------------------------------------------------------ Fred Stluka -- Bristle Software, Inc. -- http://bristle.com #DontBeATrump -- Make America Honorable Again! ------------------------------------------------------------------------ On 8/17/18 8:34 PM, Rich Kulawiec wrote:
On Fri, Aug 17, 2018 at 07:38:36PM -0400, Rachel plays Linux wrote:Maintaining a home firewall and a commercial server are way different. At work I can't simply ban by county, though I can block some entire ISPs.Then firewall by country by port. Is anyone from China going to ssh into your servers? If not, then block it. Do you need email from China? If not, then block it. And so on. This sort of thing is easy to manage if you script the build of your firewall rules with a tool like make(1). And yes, firewalling some entire ISPs is a very good idea. For example, block access to ssh from all of Digital Ocean's blocks. Same for AWS -- and firewall smtp as well. There are a lot of operations that are run by ignorant, negligent, incompetent people and there is no reason to extend access privileges to these -- and every reason not to.At home I lock out damn near everythingA better approach *is* to lock out everything and only permit what you absolutely need. (This often works in production environments as well; I'm fond of saying that the first rule in any firewall config should be: block all from any to any which bidirectionally blocks all traffic.) For example, I have a server that will only permit ssh from a /24, a /27, and a /32. Good luck finding a way to attack that service. ---rsk ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug