On 2/26/20, Gene Heskett <ghesk...@shentel.net> wrote: > On Wednesday 26 February 2020 16:00:35 to...@tuxteam.de wrote: > >> On Wed, Feb 26, 2020 at 09:54:09PM +0300, Reco wrote: >> > Hi. >> > >> > On Wed, Feb 26, 2020 at 01:50:40PM -0500, Lee wrote: >> >> [...] >> >> > > Have you considered REJECT instead of DROP? >> > >> > A neat idea for your LAN. A bad idea in this case. >> >> Exactly. >> >> > You *want* that other side to retry, wasting their time instead of >> > spamming their target. In fact, one should consider using TARPIT >> > instead of a DROP here. > > My copy of iptables-extensions makes zero mention of TARPIT. > >> Moreover: you don't want the other side to even know that you're >> there. The less info you give away the better. > > My reasoning too.
You're advertising your web server in your sig. The "other side" ALREADY KNOWS you have a web server there. If you're going to advertise your presence on the web it seems pointless to pretend that you're not there. And the bots you'd be REJECTing are the ones that have ignored your robots.txt file, so why not just tell them to go away instead of putting up with their retries? > I'd much druther be a black hole that doesn't even have > any Hawking Radiation. But I've no info that such a beast exists > anyplace in the universe. There is info in the fact of there not being > any response. >> >> In a LAN, however, REJECT is far better: you want the other side >> to know that you're there, but not talking. > > I'd call this a WAN since its intended to go out on the internet. > And I am the only user inside this LAN. > > In that event, and given that a /24 rule caught them, how many out of > that /24 get the reject message? However many hit the REJECT rule. The iptables rule is going to send a RST to anything in that /24 tries to access your server. The other hosts in that /24 that aren't trying to access your server won't get anything from you. Regards, Lee
