On 19-Apr-18 02:46, Stephen J. Turnbull wrote: > So here's my problem. A lot of my constituency resides in CN, > occasionally including people at frequently problematic domains like > 163.com. Do you know any resources (or keywords to start googling > even!) at subnational levels? KR and CN breakdowns would be most > useful to me; breakdowns for RU and former USSR would be appreciated > by many of my colleagues. > I'm not sure what you are looking for.
Blocking by geography is a very crude tool - it turns out to be useful in that many hosts serve limited geographies, and it's pretty easy to identify countries that generate a lot of "bad" traffic. E.g. RU & CN are widely believed to support intrusions by (pseudo/)government actors, and rarely prosecute. As you discovered, below that level, you need to use other tools. There are a number of geolocating services that attempt to turn IP addresses into specific locations; for example maxmind offers a series of databases of increasing precision for increasing prices (starting with free). You can use these databases with your webserver (e.g. apache mod_geoip) and name server (BIND for sure). There is also a GeoIP module for iptables. (I use (and maintain) BlockCountries because it is more flexible and easier to use. YMMV). But the problem is that unless you know exactly where your users (and potential users) are located, this won't help. Do you have a list of cities? Streets? I don't think that the criminal element has easily identifiable geographies. What you probably want is to identify the specific bad actors; for that the spamhaus and other "block lists" ("RBL") are helpful. Most of these are distributed via DNS - which means that they aren't practical for firewalls. You can configure your email server (e.g. sendmail/postfix) to use them. But this happens inside your firewall. These lists are fairly well curated, but certainly aren't perfect. As previously noted, fail2ban is one reactive means of dealing with these - it reads log files and dynamically blocks IP addresses that generate errors. It can be resource intensive, especially if you want a reasonably fast reaction time. And specifying bad behavior is somewhat of an art. One option is to provide a website for registering your users, then allow them access via some convenient token. A Captcha will help to reduce fraudulent registrations. E.g., if they have a static IP address, register that. Or provide a VPN (with just your web or email server as an endpoint). Or use X.509 client authentication - note that you can use this with your mailserver. For this purpose, you want your own CA for X.509. You can revoke abused tokens. If your community is small (or willing to pay), you can look at hardware tokens, such a yubikey. That will work if you have a reasonably sized community - and people really want to use your service. However, if you're trying to attract people who don't know if they are interested, the cost of connecting with you would probably turn many away. It's a balancing act, and your business (community, etc) needs will determine what is best for you. Note that I'm not exclusively endorsing any of the products/services mentioned - there are alternatives, and you need to evaluate what each offers against your needs. Unfortunately, there's no universal answer. Good luck. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org