Keith via plug on 17 Mar 2021 14:03:24 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Web Ass Pfirewall |
On 3/17/21 4:46 PM, Chris Thistlethwaite via plug wrote:
+1 for fail2ban. You can setup various bits to keep things banned across multiple servers, but even by itself it's pretty much the go-to solution for banning things.
Too many ssh requests? banned.Too many http log in failures? banned.Look at me the wrong way on the street? banned.
-CT
Iptables is still pretty good for blocking / choking traffic.
You can automatically block bad actors / abusive IPs by using the
various limit modules. One of my favorite rules simply blocks SSH
ingress based on packets per hour. You exceed the limit, you get
blocked for a certain amount of time. It works beautifully and is
just one rule. You can always look at current entries on the list
and decide if you want to permanently block them. I highly
recommend doing that- it'll make you feel good :D
On Wed, Mar 17, 2021 at 4:34 PM Ron Nascimento via plug <plug@lists.phillylinux.org>
wrote:
Have you looked at fail2ban?
https://www.fail2ban.org
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs
that show the malicious signs -- too many password failures, seeking
for exploits, etc. Generally Fail2Ban is then used to update firewall
rules to reject the IP addresses for a specified amount of time,
although any arbitrary other action (e.g. sending an email) could also
be configured. Out of the box Fail2Ban comes with filters for various
services (apache, courier, ssh, etc).
On Wed, 2021-03-17 at 16:29 -0400, Ron Mansolino via plug wrote:
> I have a vps that I don't do too much with, essentially a dev server.
>
> Because it sits out on the net it logs an unwieldy number of
> intrusion attempts and nosey infogathering requests.
>
> I've been manually filtering these with iptables, but that isn't
> scaling well (and it's impossible to block cloud services that
> continually allocate new netblocks). I'd like to block all of AWS,
> GCP, etc, but it's like playing whack-a-mole. I could use some
> suggestions for a WAF that I won't eventually have to pay for.
>
> also, did the posting rules change here? I don't check here often,
> and things aren't working as I expect them to.
> _____________________________________________________________________
> ______
> Philadelphia Linux Users Group --
> http://www.phillylinux.org
> Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion --
> http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
--
-Chris
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
-- ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Keith C. Perry, MS E.E. Managing Member, DAO Technologies LLC (O) +1.215.525.4165 x2033 (M) +1.215.432.5167 www.daotechnologies.com
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug