I agree with Antonio, this is all "part of a
balanced diet" for a healthy server.
One of my beefs with traditional blacklisting is
how many rules are often needed, or how many
transactions needed to verify a host's authenticity.
Nowadays with everything cloud-based, and the
ISPs nickel and diming us with cpu power and disk
space, I like to make things as efficient as possible.
I subscribe the "diminishing returns"
philosophy. I'd rather use a small number of
rules to block approximately 90% of the malicious
traffic, than a more comprehensive, more
resource-intensive set that only adds a few extra
percent benefit. I looked at a lot of other
blacklists out there. My first line of defense
is not using individual IP blocking rules. I
think systems like that, such as F2B should second or third level defense.
By the way, I hear the guy behind Login Shield is
working on two more versions. One interesting
one is called, "WebShield" which is a similar
blacklist of different types of cloud providers
(minus important search engine systems) that
basically blocks web level access from other
servers. This seems very interesting to
me. Ideally, people visiting my clients web
sites should not be originating from rackspace or
hostgator or AWS - so why allow that IP space
access to web ports? If you need to pander to
people running VPNs your milage may vary, but
this sounds like another interesting vector to
shut off from certain server resources. I'm hoping to beta test that soon.
I need to re-iterate what Mike is saying here
and in fact, I would argue that if one is
running an EM server without some type of SPAM +
bad actor lists, they are remiss in their admin
duties. LoginShield is one of the many
available out there with SpamHaus and Barracuda
probably being the most prevalent or at least
well known. Another awesome repo is Firehol
(<https://github.com/firehol/firehol>https://github.com/firehol/firehol)
quite
comprehensive but need to be careful as there's
a lot to tune and therefore mess-up along the way
On Jul 8, 2020, at 9:29 AM, Mike <<mailto:[email protected]>[email protected]> wrote:
On 7/8/20 3:29 PM, Mike wrote:
As an aside, instead of using a recidive
jail, I've been using a more permanent ban of login ports using this system
<https://github.com/dpsystems/login-shield>https://github.com/dpsystems/login-shield
This also includes logging of banned connections and some analysis reports.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
