On 2018-01-09 09:58, Joerg Dorchain wrote:
On Tue, Jan 09, 2018 at 09:28:26AM +0000, Dave Osbourne wrote:
1. The list might be incorrect and legit requests will be blocked, the
list will have to regularly derived (there might be a source who knows)
2. "bad" IPs might be on that list and allowed
My response is to implement a dynamic block list (say)
http://iplists.firehol.org/?ipset=blocklist_net_ua - using iptables on (say)
Debian. I've looked at an hour of probe data and it seems that that
/*specific */list would have blocked 97+% of known bad probe attempts (and
the list is updated regularly).
I hope someone might be able to provide argument for / against... or share
an alternative...
I have been doing this for a while, but now have found that ipset
fit in very well here.
- Adding and removing ips from a set is easier than fiddling with
iptables syntax.
- The timeout feature comes in very handy.
- Basically the iptables rules can be static.
Bye,
Joerg
Ah - I looked at that (ipset) - didn't even know it existed...!!
I'm getting a lot of resistance from our outsourced IT supplier on
this... the excuses are variously:
* block based on SRCIP being in <insert unfriendly state here> or
* why don't you migrate to Office365 or
* don't worry if you patch regularly and have a good passwd policy then
just let the traffic come
all completely pointless given the constrains and facts of the case.
Does *anyone* have some kind of a reference or best practice for this,
or their own motivation even?
I feel the resistance I'm getting (not from the list) is through a lack
of awareness by IT professionals... this seems like such an obvious
thing to do, yet 3 IT support companies I've spoken to don't seem keen....
Dave
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
