On 14/11/2021 18:03, Lefteris Tsintjelis wrote:
On 14/11/2021 14:50, Kees van Vloten wrote:
Apart from a really nice firewall firehol also supplies a good set of
ip-blacklists.
For public exposure of email ports, I am using the combination of
firehol-firewall, firehol-blacklist, fail2ban and a whitelist based on
geo-ip. The mail-client ports exposed are 993 and 465, because
starttls is considered flawed nowadays: https://nostarttls.secvuln.info/)
Full access from any IP (except firehol-blacklist and fail2ban) is
possible over VPN (openvpn) with MFA (privacyidea).
Privacyidea also supplies a mobile-app compatible with a.o. TOTP and
HOTP but it provides a more secure way of enrollment (2-step).
Thanks for pointing at crowdsec.net, will see if it can tighten
security further in cooperation with the above.
- Kees
The problem I faced over the years, with so many IPs, was that the black
listing way would reach its limits at some point. Using the classic
fail2ban expiration dates and method, over time, never actually manages
to get rid of them as they keep on trying and trying. I needed to expand
the blacklist expiration time limits way high but that reached firewall
limitations so I personally switched to a permanent white list
firewalling, as I could do that, and it really got rid of a lot of my
headaches with just about all my public services.
Black listing would work in case of central dedicated anf large
firewalls but for smaller solutions I think country white listing
firewall is far better method.
What would also be interesting is something similar to the spamcop
combined with crowdsec reporting system so that it can be used to
effectively analyze and reduce all those bots.
The Spamhouse DROP list would also be a good permanent black list
addition to any border routers or stand alone public services.
https://www.spamhaus.org/drop/
Perhaps I was not clear in my last message. Have a look to this
documentation:
https://homebox.readthedocs.io/en/latest/email-access-monitoring/
I am available if you have any question to implement something similar
yourself. Extending the system to add a second factor authentication is
probably easy enough.
Kind regards,
André
--
𝓐𝓡 - André Rodier
