Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #702

Re: yet another IP blocklist (mine!)

From Supratim Sanyal <supratim@riseup.invalid>
Newsgroups comp.os.linux.security
Subject Re: yet another IP blocklist (mine!)
Date 2016-10-27 20:27 -0400
Organization A noiseless patient Spider
Message-ID <MPG.327c65692bdf48dc989683@news.eternal-september.org> (permalink)
References <MPG.325c46579c9d147e989681@reader80.eternal-september.org> <slrnnv84fd.9g.ibuprofin@planck.phx.az.us>

Show all headers | View raw

In article <slrnnv84fd.9g.ibuprofin@planck.phx.az.us>, 
ibuprofin@painkiller.example.tld.invalid says...
> 
> On Mon, 3 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in
> article <MPG.325c46579c9d147e989681@reader80.eternal-september.org>,
> Supratim Sanyal wrote:
> 
> >Hi - I am maintaining a brute-force attack source IP blocklist
> 
> Idle curiosity -  Why?

Ummm - got myself a cheapo VPS, have to use it for something - and 
revived a fortune-cowsay daemon I wrote in school ... put it on the 
telnet port - doubles as a honey pot for telnet spam ... no good reason 
really ... :)


> 
> >Entries have a 48 hour expiry.
> 
> Good - but that might be on the long side.   I have to laugh at people
> using a Self-Denial-of-Service tool like 'blocksshd', 'sshguard',
> 'fail2ban', "DenyHost[s]" and similar, who wonder why their firewall is
> so slow when they have over a thousand /32 DROP rules that never expire.
> That's only the tip of the iceberg, as there are about 3.7e9 non-RFC5735
> IPv4 addresses out there (3.64e9 of which are allocated/assigned/in-use)
> never mind 1.59e34 similar IPv6 addresses (out of 3.37e38 non-RFC6890)
> in 30100 blocks.  When I was using this style of setup (about 10 years
> ago), I expired the address after 720 seconds (12 minutes) as that was
> long enough to discourage the id10ts out there.  I also had some
> "permanent" ranges - ISPs or similar groups that tolerated abusers.
> Those blocks (about 20 as I recall) ranged from /17 up to /12 in size.
> 
> >Contains actual ssh, telnet and smtp failed login attempts.
> 
> Do you really NEED to be offering those services to the _entire_ world?
> My firewall allows _inbound_ access from a /22 and two /24s "outside"
> or a total of 1530 addresses, because I can't see any reason to allow
> connections from you or anyone else that I haven't approved in advance,
> and I really don't expect authorized users to be connecting from
> Kazakhstan, Kenya, Kiribati, Korea, Kuwait or Kyrgyzstan and a lot of
> other places either. Lest someone from those countries object, I also
> don't allow access from nearly all ISPs in the rest of the world   Not
> expected == not allowed.
> 
> The perimeter firewall has few rules.
>    ALLOW established
>    ALLOW from 3 blocks outside to 4 ports on 2 servers on the LAN
>    ALLOW ICMP types 3 (some), 0 and 11 inbound
>    ALLOW ICMP types 3 (some) and 8 outbound
>    ALLOW new outbound from the LAN
>    sh!tcan the rest
> 
> It also only accepts connections to itself from three hosts on the
> LAN side.   I don't even bother logging - the firewall prevented the
> connection, so what MORE do you need?   It's not as if the Internet
> Police are going to do anything if you complain.   This also reduces
> the resources needed on the firewall box - for years, mine was the
> remains of a 1990s 386SX laptop with a whopping 4 Megs of RAM and a

Again doing "something" with a cheapo VPS is the goal ... at this point, 
this VPS also does the following (for no particular reason):

- ad-blocking dns server on udp/53 and tcp/53
- TOR web proxy on TCP/8080 - (password protected)
- varnish httpd reverse proxy (love varnish!)
- ntp server on port udp/123 (listed in ntp.org!)
- stunnel remote logging server for all of my other hobbyist servers and 
VMs ...
- runs seti@home/boinc ... :)

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-03 11:42 -0400
  Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-04 20:32 +0000
    Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-27 20:27 -0400
      Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-28 21:10 +0000
        Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-28 18:02 -0400
          Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-29 22:24 +0000
            Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-22 18:49 -0500
              Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-24 01:13 +0000
                Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-26 17:59 -0500
                Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-28 02:10 +0000

csiph-web