Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #699

Re: yet another IP blocklist (mine!)

Show all headers | View raw

On Mon, 3 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in
article <MPG.325c46579c9d147e989681@reader80.eternal-september.org>,
Supratim Sanyal wrote:

>Hi - I am maintaining a brute-force attack source IP blocklist

Idle curiosity -  Why?

>Entries have a 48 hour expiry.

Good - but that might be on the long side.   I have to laugh at people
using a Self-Denial-of-Service tool like 'blocksshd', 'sshguard',
'fail2ban', "DenyHost[s]" and similar, who wonder why their firewall is
so slow when they have over a thousand /32 DROP rules that never expire.
That's only the tip of the iceberg, as there are about 3.7e9 non-RFC5735
IPv4 addresses out there (3.64e9 of which are allocated/assigned/in-use)
never mind 1.59e34 similar IPv6 addresses (out of 3.37e38 non-RFC6890)
in 30100 blocks.  When I was using this style of setup (about 10 years
ago), I expired the address after 720 seconds (12 minutes) as that was
long enough to discourage the id10ts out there.  I also had some
"permanent" ranges - ISPs or similar groups that tolerated abusers.
Those blocks (about 20 as I recall) ranged from /17 up to /12 in size.

>Contains actual ssh, telnet and smtp failed login attempts.

Do you really NEED to be offering those services to the _entire_ world?
My firewall allows _inbound_ access from a /22 and two /24s "outside"
or a total of 1530 addresses, because I can't see any reason to allow
connections from you or anyone else that I haven't approved in advance,
and I really don't expect authorized users to be connecting from
Kazakhstan, Kenya, Kiribati, Korea, Kuwait or Kyrgyzstan and a lot of
other places either. Lest someone from those countries object, I also
don't allow access from nearly all ISPs in the rest of the world   Not
expected == not allowed.

The perimeter firewall has few rules.
   ALLOW established
   ALLOW from 3 blocks outside to 4 ports on 2 servers on the LAN
   ALLOW ICMP types 3 (some), 0 and 11 inbound
   ALLOW ICMP types 3 (some) and 8 outbound
   ALLOW new outbound from the LAN
   sh!tcan the rest

It also only accepts connections to itself from three hosts on the
LAN side.   I don't even bother logging - the firewall prevented the
connection, so what MORE do you need?   It's not as if the Internet
Police are going to do anything if you complain.   This also reduces
the resources needed on the firewall box - for years, mine was the
remains of a 1990s 386SX laptop with a whopping 4 Megs of RAM and a
105 Meg disk.  When it finally died 6-7 years ago, I replaced it with
a similarly retired (~2002) Pentium laptop.

        Old guy

Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-03 11:42 -0400
  Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-04 20:32 +0000
    Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-27 20:27 -0400
      Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-28 21:10 +0000
        Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-28 18:02 -0400
          Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-29 22:24 +0000
            Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-22 18:49 -0500
              Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-24 01:13 +0000
                Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-26 17:59 -0500
                Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-28 02:10 +0000

csiph-web