Re: [Fail2ban-users] port max?

Wed, 28 Aug 2019 00:36:02 -0700 


On 27/08/2019 22:25, Mike wrote:




Me personally, I'm less interested in an "all-US" or "all-non-US" 
list.  What I'm interested in is the most efficient blocklist, 
representing the smallest number of large IP blocks that can restrict 
the highest percentage of of unauthorized activity.



Along those lines, I can see some Class A's and B's being blacklisted 
if they're outside the US, but what I don't want is to mess with lots 
of blocks that are intermingled with foreign and potentially legit IP 
space, therefore creating very large rulesets - I'd rather let F2B 
handle those sources individually.


Has anybody created anything like this?


I built a blacklist based in tcpwrappers that blocked a good 90+% of 
unauthorized activity.  I wonder if anybody else has done this with 
iptables?



How are you defining unauthorised activity? Where is going to be your 
source of unauthorised IP's? If the source is external and you are 
aiming for permanent bans then f2b is possibly not the best tool. There 
is a site, blocklist.de, which could help you with a source of IP 
addresses to block, and ipset sets with your own iptables rules are good 
tools. Ipset sets scale well as there is no a direct relationship 
between the set size and the time taken to search it. I don't know how 
this compares to TCP Wrappers. If necessary ptyhon has a good library 
which can consolidate IP addresses and subnets into the the smallest 
possible subnet list.


F2b is better for transient blocking and determining its own block rules.


One thing I'd like to get hold of is a reliable list of all dynamic IP's 
as used by some of the email RBL's.

At 04:08 PM 8/27/2019, Kenneth Porter wrote:

--On Tuesday, August 27, 2019 10:37 AM +0100 Nick Howitt 
<[email protected]> wrote:



FWIW if you are trying to block all non-US, I would expect it would 
be a
lot more efficient to generate a US only list then block all on no 
match

with the following in your iptables rule:
-m set ! --match-set US-list



How would you construct that list? I suspect the values in the IPDeny 
US list don't cover the rest of the space and there may be desirable 
addresses in the remaining space. It would be interesting to compute 
a negative list of all addresses in the full list and see what's in 
there.







_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to