| Fred Stluka on 25 Aug 2018 11:31:43 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban... |
Rich, Wow! Seems a little harsh to say I'm irresponsible, incompetent, and using a dangerous, expensive, complicated, and foolish approach. Let's try to keep this a friendly welcoming group, eh? I'm just trying to block hackers without losing the ability to know who they are, where they come from, and what tricks they are trying. If I block all of China, I lose the ability to learn how best to allow some of China in safely, which I may need to know for a client some day. Also, I'd guess that these days most hackers have access to botnets that span multiple countries, including millions of home and business desktops and laptops in the US. So, I really HAVE to use a more selective approach than just blocking China. Given that I am and it's working fine, why should I also block China? And if so, what other countries should I block entirely? Seems like a slippery slope to me. BTW, what's your beef with AWS anyhow? I've used it quite happily for nearly 10 years, and hosted all of my clients there. Do you see them as somehow worse than Linode and other Cloud IaaS (Infrastructure as a Service) providers? --Fred ------------------------------------------------------------------------ Fred Stluka -- Bristle Software, Inc. -- http://bristle.com #DontBeATrump -- Make America Honorable Again! ------------------------------------------------------------------------ On 8/25/18 5:26 AM, Rich Kulawiec wrote:
On Fri, Aug 24, 2018 at 06:20:33PM -0400, Fred Stluka wrote:I don't want to simply block all of China (and North Korea, and Russia, and Ukraine, and Venezuela, and India, and Brazil, and Argentina, and Germany, and France, and the US, and all the other countries that make daily attacks on my servers).What you want is irrelevant. What you should be doing as a responsible professional is what matters, and that's pro-actively blocking as much of the crud as you possibly can from reaching as many ports/services as you possibly can while still maintaining required functionality. If you don't *need* to allow ssh from Portugal or Panama or Pakistan then you should block it. If you don't *need* to allow http from China, then you should block it. If you don't *need* to allow email from the hundreds of new garbage gTLDs that are completely overrun with spammers and phishers, then you should block it. If you don't *need* to allow attacks on your DNS infrastructure from AWS, then you should block it. And so on. [1] The days of passively waiting for attacks and responding to them after the fact ended 15 years ago. That approach is dangerous, expensive, complicated, and foolish. [2] Competent professionals now anticipate attacks and deal with the majority of them before they can get anywhere near their intended targets. ---rsk [1] A curated list of zones by country may be found here: http://ipdeny.com/ipblocks/data/countries/all-zones.tar.gz The Okean zones for China and Korea are here: http://www.okean.com/chinacidr.txt http://www.okean.com/koreacidr.txt The Spamhaus DROP and EDROP lists are here: http://www.spamhaus.org/drop/drop.txt http://www.spamhaus.org/drop/edrop.txt Note that there are small differences between the CN and KR zones listed by ipdeny and Okean, due to how/when they're updated. [2] There's a lot of snake oil being peddled in the form of expensive and complex SIEM systems which purport to detect and analyze attacks and react to them. Systems like this are of *some* use if you're a security researcher and curious about what's trying to get into your operation. But if you're just trying to run a system/network, then going down this rabbit hole is pointless: drop all the traffic that you can on the floor and get on with what you need to be doing. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug