| Rich Kulawiec on 25 Aug 2018 02:26:41 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban... |
On Fri, Aug 24, 2018 at 06:20:33PM -0400, Fred Stluka wrote: > I don't want to simply block all of China (and North Korea, and > Russia, and Ukraine, and Venezuela, and India, and Brazil, and > Argentina, and Germany, and France, and the US, and all the > other countries that make daily attacks on my servers). What you want is irrelevant. What you should be doing as a responsible professional is what matters, and that's pro-actively blocking as much of the crud as you possibly can from reaching as many ports/services as you possibly can while still maintaining required functionality. If you don't *need* to allow ssh from Portugal or Panama or Pakistan then you should block it. If you don't *need* to allow http from China, then you should block it. If you don't *need* to allow email from the hundreds of new garbage gTLDs that are completely overrun with spammers and phishers, then you should block it. If you don't *need* to allow attacks on your DNS infrastructure from AWS, then you should block it. And so on. [1] The days of passively waiting for attacks and responding to them after the fact ended 15 years ago. That approach is dangerous, expensive, complicated, and foolish. [2] Competent professionals now anticipate attacks and deal with the majority of them before they can get anywhere near their intended targets. ---rsk [1] A curated list of zones by country may be found here: http://ipdeny.com/ipblocks/data/countries/all-zones.tar.gz The Okean zones for China and Korea are here: http://www.okean.com/chinacidr.txt http://www.okean.com/koreacidr.txt The Spamhaus DROP and EDROP lists are here: http://www.spamhaus.org/drop/drop.txt http://www.spamhaus.org/drop/edrop.txt Note that there are small differences between the CN and KR zones listed by ipdeny and Okean, due to how/when they're updated. [2] There's a lot of snake oil being peddled in the form of expensive and complex SIEM systems which purport to detect and analyze attacks and react to them. Systems like this are of *some* use if you're a security researcher and curious about what's trying to get into your operation. But if you're just trying to run a system/network, then going down this rabbit hole is pointless: drop all the traffic that you can on the floor and get on with what you need to be doing. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug