Fred Stluka on 25 Aug 2018 11:31:43 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban...


Rich,

Wow!  Seems a little harsh to say I'm irresponsible, incompetent,
and using a dangerous, expensive, complicated, and foolish
approach.  Let's try to keep this a friendly welcoming group, eh?

I'm just trying to block hackers without losing the ability to know
who they are, where they come from, and what tricks they are
trying.  If I block all of China, I lose the ability to learn how best
to allow some of China in safely, which I may need to know for a
client some day.

Also, I'd guess that these days most hackers have access to
botnets that span multiple countries, including millions of home
and business desktops and laptops in the US.  So, I really HAVE
to use a more selective approach than just blocking China.

Given that I am and it's working fine, why should I also block
China?  And if so, what other countries should I block entirely?
Seems like a slippery slope to me.

BTW, what's your beef with AWS anyhow?  I've used it quite
happily for nearly 10 years, and hosted all of my clients there.
Do you see them as somehow worse than Linode and other
Cloud IaaS (Infrastructure as a Service) providers?

--Fred
------------------------------------------------------------------------
Fred Stluka -- Bristle Software, Inc. -- http://bristle.com
#DontBeATrump -- Make America Honorable Again!
------------------------------------------------------------------------

On 8/25/18 5:26 AM, Rich Kulawiec wrote:
On Fri, Aug 24, 2018 at 06:20:33PM -0400, Fred Stluka wrote:
I don't want to simply block all of China (and North Korea, and
Russia, and Ukraine, and Venezuela, and India, and Brazil, and
Argentina, and Germany, and France, and the US, and all the
other countries that make daily attacks on my servers).
What you want is irrelevant.  What you should be doing as a responsible
professional is what matters, and that's pro-actively blocking as much
of the crud as you possibly can from reaching as many ports/services as
you possibly can while still maintaining required functionality.

If you don't *need* to allow ssh from Portugal or Panama or Pakistan
then you should block it.  If you don't *need* to allow http from China,
then you should block it.  If you don't *need* to allow email from the
hundreds of new garbage gTLDs that are completely overrun with spammers
and phishers, then you should block it.  If you don't *need* to allow
attacks on your DNS infrastructure from AWS, then you should block it.
And so on. [1]

The days of passively waiting for attacks and responding to them after
the fact ended 15 years ago.  That approach is dangerous, expensive,
complicated, and foolish. [2]  Competent professionals now anticipate
attacks and deal with the majority of them before they can get anywhere
near their intended targets.

---rsk

[1] A curated list of zones by country may be found here:

	http://ipdeny.com/ipblocks/data/countries/all-zones.tar.gz

The Okean zones for China and Korea are here:

	http://www.okean.com/chinacidr.txt
	http://www.okean.com/koreacidr.txt

The Spamhaus DROP and EDROP lists are here:

	http://www.spamhaus.org/drop/drop.txt
	http://www.spamhaus.org/drop/edrop.txt

Note that there are small differences between the CN and KR zones
listed by ipdeny and Okean, due to how/when they're updated.

[2] There's a lot of snake oil being peddled in the form of expensive
and complex SIEM systems which purport to detect and analyze attacks
and react to them.  Systems like this are of *some* use if you're
a security researcher and curious about what's trying to get into
your operation.  But if you're just trying to run a system/network,
then going down this rabbit hole is pointless: drop all the traffic
that you can on the floor and get on with what you need to be doing.

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug