Re: off topic - how to secure httpd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If you are storing blocks per single IP that won't scale (storage wise, searching the list/table, just a bitmap of the whole IPv6 space is 10^19 Exabytes! [2^128 bits in EiB]), if you aggressively block whole ranges you will most likely end up blocking a lot of legitimate potential users.

I also to be honest don't think permabans are useful, the IPs are constantly being recycled so by permabanning you end up with addresses that may be recycled to a legit use being blocked and go troubleshoot why your system doesn't work for them.
I like the fail2ban approach of blocking for a certain limited time period after bad behavior was detected, with IPv6 you may want to add some range detection on top of that to block a whole /64 after more than X abuses were detected from more than X different addresses in the range but even that I would timelimit.

Just my 2c,
Eli

PS - even just blocking based on /64 networks is unrealistic 2^64 bits in EiB = 2 EiB.

Op wo 4 dec 2024 om 16:21 schreef Marc <Marc@xxxxxxxxxxxxxxxxx>:
I hope nobody minds me addressing this off topic question.

I was thinking about adding ipv6, and when I got a range to try with, I was actually surprised how many I got. This made me wonder how many ipv6 are being used and how many ipv4.

Having these ipv6 so abundantly available made me also think about how I have currently arranged my abuse mitigation. Currently I am having ipsets for different subments and use a sort of honeypot approach, anything automated that scans for vulnerabilities in wordpress or weird files and ignores the robots.txt is getting blocked.

Such an approach will lead over years that you block most of azure, google, amazon, digitial ocean, .cn etc.

I don't think this will go well for ipv6 to be honest. If there are so many out there, my ipsets will grow even bigger.

I was wondering how others are solving this?






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux