On 09-01-2018 16:24, Dave Osbourne wrote: > > > On 2018-01-09 09:58, Joerg Dorchain wrote: >> On Tue, Jan 09, 2018 at 09:28:26AM +0000, Dave Osbourne wrote: >>> 1. The list might be incorrect and legit requests will be blocked, the >>> list will have to regularly derived (there might be a source who >>> knows) >>> 2. "bad" IPs might be on that list and allowed >>> >>> >>> My response is to implement a dynamic block list (say) >>> http://iplists.firehol.org/?ipset=blocklist_net_ua - using iptables >>> on (say) >>> Debian. I've looked at an hour of probe data and it seems that that >>> /*specific */list would have blocked 97+% of known bad probe attempts >>> (and >>> the list is updated regularly). >>> >>> I hope someone might be able to provide argument for / against... or >>> share >>> an alternative... >> I have been doing this for a while, but now have found that ipset >> fit in very well here. >> - Adding and removing ips from a set is easier than fiddling with >> iptables syntax. >> - The timeout feature comes in very handy. >> - Basically the iptables rules can be static. >> >> Bye, >> >> Joerg > > Ah - I looked at that (ipset) - didn't even know it existed...!! > > I'm getting a lot of resistance from our outsourced IT supplier on > this... the excuses are variously: > > * block based on SRCIP being in <insert unfriendly state here> or > * why don't you migrate to Office365 or > * don't worry if you patch regularly and have a good passwd policy then > just let the traffic come > > all completely pointless given the constrains and facts of the case. > > Does *anyone* have some kind of a reference or best practice for this, > or their own motivation even? > > I feel the resistance I'm getting (not from the list) is through a lack > of awareness by IT professionals... this seems like such an obvious > thing to do, yet 3 IT support companies I've spoken to don't seem keen.... > The only experience with something simpler (trying to reduce the number of ssh bruteforce attempts) is allowing only IPs from $MYCOUNTRY. Your concern about the list of IPs not being correct is a valid one but I've never had problems or complaints (machines have only a few users though) when using the lists from here: ftp://ftp.ripe.net/pub/stats/ripencc/ The files there are updated daily. You'll have to massage the file first to get a range of IPs you can use. That said your idea sounds good and if it could help catch the few corner cases the static lists (firehol + ripe) don't catch I don't see why not use it (maybe false positives concern?). > Dave > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Mauro Santos -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
