Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban...

[Rich Kulawiec <rsk@gsp.org>]

On Wed, Aug 29, 2018 at 08:24:12AM -0400, Rich Freeman wrote:
> The problem is that the outcome of not allowing it is bad for the internet.

Allowing it is worse.  MUCH worse.

> If we're giving up on securing things at the protocol level and
> allowing any host to connect to any other host, what is the whole
> point of doing this Internet thing anyway, other than VPNs being
> cheaper than dedicated lines?

Those days went away a couple of decades ago, thanks to a combination of
incompetence, negligence, bad actors, and their enablers.  Since security
is asymmetric, you can either spend continuously-increasing amounts
of money and effort attempting to defend your operation from people
who have *already put proof on the table* that they're your enemy...
or you can solve your problem in a much more permanent way by removing
them from your view of the Internet.  And while a security breach of
your operation is obviously bad for you, it's also bad for all of us,
since compromise of your operation will (variously) expose our data, or
provide attackers with another platform from which to attack us, or worse.

We haven't given up.  We've just gotten smarter and realized that
blacklists and firewalls are not only far more cost-effective, they're
far more resistant to the attacks that we don't know about yet.
And we've figured out that default-deny is the way to go in nearly
all circumstances -- they are really precious few operations which
need to provide services under any other approach.

As I said before, I don't like this.  But it's reality.  Don't blame me:
I worked for a very long time to stop this from happening (and I wasn't
alone in that) but it didn't work out.  Too many people explicitly
or implicitly supported the incompetent, the negligent, the bad actors,
and their enablers, thus making them finanically successful...and
ensuring that they would keep doing exactly what they were doing.
Now we're faced with the consequences of that.

Here's a quick quiz for you:

Q1: What is the annual revenue in the DoS/DDoS-prevention service/equipment
market? 

Q2: Would that market even need to exist if everyone who ran a network
actually did their jobs in a competent and responsible fashion?

Hint: as I've noted many times, abuse/attacks do not magically fall
out of the sky.  They come from systems...on networks...run by people.

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug