Fred Stluka on 24 Aug 2018 15:38:11 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban...


Rich,

For example,
block access to ssh from all of Digital Ocean's blocks.  Same for AWS

Please don't encourage people to block all access from AWS servers.

My servers and those of almost all of my clients are hosted on AWS.
So is the CIA, and other major parts of the US Govt.  Also, major
companies like Netflix, Adobe, GE, Kelloggs, BMW, etc.  If you're
going to ding AWS for having some ignorant, negligent, incompetent
users, you may as well ding all Windows users, and many Linux
users also.  What large segment of the world is trustworthy enough
to allow in?  That's why I prefer fail2ban.  3 strikes and you're out,
but until then, you're presumed innocent.

--Fred
------------------------------------------------------------------------
Fred Stluka -- Bristle Software, Inc. -- http://bristle.com
#DontBeATrump -- Make America Honorable Again!
------------------------------------------------------------------------

On 8/17/18 8:34 PM, Rich Kulawiec wrote:
On Fri, Aug 17, 2018 at 07:38:36PM -0400, Rachel plays Linux wrote:
Maintaining a home firewall and a commercial server are way different. At
work I can't simply ban by county, though I can block some entire ISPs.
Then firewall by country by port.  Is anyone from China going to ssh into
your servers?  If not, then block it.  Do you need email from China?
If not, then block it.  And so on.  This sort of thing is easy to
manage if you script the build of your firewall rules with a tool
like make(1).

And yes, firewalling some entire ISPs is a very good idea.  For example,
block access to ssh from all of Digital Ocean's blocks.  Same for AWS --
and firewall smtp as well.  There are a lot of operations that are
run by ignorant, negligent, incompetent people and there is no reason
to extend access privileges to these -- and every reason not to.

At home I lock out damn near everything
A better approach *is* to lock out everything and only permit what you
absolutely need.   (This often works in production environments as well;
I'm fond of saying that the first rule in any firewall config should be:

	block all from any to any

which bidirectionally blocks all traffic.)  For example, I have a server
that will only permit ssh from a /24, a /27, and a /32.  Good luck
finding a way to attack that service.

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug