On Tue, Jan 09, 2018 at 09:28:26AM +0000, Dave Osbourne wrote: > > 1. The list might be incorrect and legit requests will be blocked, the > list will have to regularly derived (there might be a source who knows) > 2. "bad" IPs might be on that list and allowed > > > My response is to implement a dynamic block list (say) > http://iplists.firehol.org/?ipset=blocklist_net_ua - using iptables on (say) > Debian. I've looked at an hour of probe data and it seems that that > /*specific */list would have blocked 97+% of known bad probe attempts (and > the list is updated regularly). > > I hope someone might be able to provide argument for / against... or share > an alternative... I have been doing this for a while, but now have found that ipset fit in very well here. - Adding and removing ips from a set is easier than fiddling with iptables syntax. - The timeout feature comes in very handy. - Basically the iptables rules can be static. Bye, Joerg
Attachment:
signature.asc
Description: PGP signature
