I share the exact same philosophy Mike…I have F2B as my "last line" in a sense with my FW and cloud infosec devices taking the brunt of the attack at the border…and of course, both border devices are running some mix of auto-maintained and updated blacklists.
Also, not sure what others may do, but I also run all email through a battery of SpamHaus and Barracuda lists…probably nothing more than a quick sanity check for the low-hanging fruit out there… > On Jul 8, 2020, at 10:47 AM, Mike <t...@rohms.com> wrote: > > > I agree with Antonio, this is all "part of a balanced diet" for a healthy > server. > > One of my beefs with traditional blacklisting is how many rules are often > needed, or how many transactions needed to verify a host's authenticity. > > Nowadays with everything cloud-based, and the ISPs nickel and diming us with > cpu power and disk space, I like to make things as efficient as possible. > > I subscribe the "diminishing returns" philosophy. I'd rather use a small > number of rules to block approximately 90% of the malicious traffic, than a > more comprehensive, more resource-intensive set that only adds a few extra > percent benefit. I looked at a lot of other blacklists out there. My first > line of defense is not using individual IP blocking rules. I think systems > like that, such as F2B should second or third level defense. > > By the way, I hear the guy behind Login Shield is working on two more > versions. One interesting one is called, "WebShield" which is a similar > blacklist of different types of cloud providers (minus important search > engine systems) that basically blocks web level access from other servers. > This seems very interesting to me. Ideally, people visiting my clients web > sites should not be originating from rackspace or hostgator or AWS - so why > allow that IP space access to web ports? If you need to pander to people > running VPNs your milage may vary, but this sounds like another interesting > vector to shut off from certain server resources. I'm hoping to beta test > that soon. > >> I need to re-iterate what Mike is saying here and in fact, I would argue >> that if one is running an EM server without some type of SPAM + bad actor >> lists, they are remiss in their admin duties. LoginShield is one of the >> many available out there with SpamHaus and Barracuda probably being the most >> prevalent or at least well known. Another awesome repo is Firehol ( >> https://github.com/firehol/firehol <https://github.com/firehol/firehol>) >> >> quite comprehensive but need to be careful as there's a lot to tune and >> therefore mess-up along the way >> >> >> >> >>> On Jul 8, 2020, at 9:29 AM, Mike <t...@rohms.com <mailto:t...@rohms.com>> >>> wrote: >>> >>> >>>> On 7/8/20 3:29 PM, Mike wrote: >>>>> >>>>> As an aside, instead of using a recidive jail, I've been using a more >>>>> permanent ban of login ports using this system >>>>> >>>>> https://github.com/dpsystems/login-shield >>>>> <https://github.com/dpsystems/login-shield> >>>>> >>>>> This also includes logging of banned connections and some analysis >>>>> reports. > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
