Hi Conrad,
On Mon, Nov 11, 2019 at 11:30:50AM +0000, Conrad Wood wrote:
I use a combination of fail2ban and some hooks in my
software to build
up a blacklist of IPs over time.
At the moment I am also using Fail2Ban for SSH attackers and
dictionary attacks against a few different web apps.
Last time we talked about this on the list people suggested I use
multiple different jails with much longer ban times for repeat
offenders, so I started doing that too.
I currently null route them rather than firewall them but that's
much of a muchness.
http://strugglers.net/~andy/blog/2019/09/04/fail2ban-iptables-and-config-ma…
That is happening on each host (and even on each of BitFolk's own
guests) without sharing the bans. I've often thought about sharing
some sort of database.
My question is if it's feasible to have a
bitfolk-hosted blacklist of
IPs. If we were all to report our probes and scans into a (to-be-build)
bitfolk system, we'd probably protect each other more quickly and
effectively.
…so when I start thinking about sharing some sort of database, my
next thought is, "could the customers contribute to and benefit from
that as well?" It's been on my mind from time to time!
Of course I am not certain if that's an option,
(e.g. not sure if the
inbound routers are powerful enough)
I'm not really worried about load of it. It's probably beneficial to
drop a packet rather than have it go through the router, through the
hypervisor, into the guest, be logged as objectionable, do all that
again and be dropped in the guest's firewall.
My major concern is how to prevent customers (and me) from
accidentally or maliciously blocking too many things for everyone
else. Do you have any ideas?
After that, my lesser concerns are around how much work this would
be:
- Presumably it is going to need some sort of REST API for
submission and querying.
- As the ban actions would be happening in a device that you don't
have control of, possibly there would need to be reporting of the
packets that have hit the ban for you in particular. Otherwise any
time anything network-wise goes wrong, you're going to be in the
dark about whether it's down to this.
- This doesn't sound like a service that people would pay for, or
even be so impressed by that it would influence a purchasing
decision. That doesn't stop me from considering improvements like
this but it does mean that it would happen at the expense of
something else that needs doing.
Copping out and just making a blocklist that people can choose to
use themselves or not seems easier: at least they can see themselves
what they are dropping. But then it's questionable if there is any
value to that beyond just using existing blocklists.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting