One problem would be that these unwanted IPs change and you could be
blocking the puppet not the puppet-master.
One system I have been using is to put SSH on an alternative port. When any
IP queries port 22, it is added to a blacklist set with a fixed timeout.
Everytime that IP visits any port its timeout is reset to the original
value. Bit like fail2ban does. By experiment I have found a day in the
sinbin is about the right balance. A couple of lines or so of code does it.
My thinking was nobody has any legit reason for visiting port 22, and if
they are up to no good there then they are probably up to no good
elsewhere. I added port 23 to the rule as well
On Mon, 11 Nov 2019 at 12:29, Chris Smith via users <users(a)lists.bitfolk.com>
wrote:
On 11 Nov 2019, at 12:01, Conrad Wood <cnw(a)conradwood.net> wrote:
On Mon, 2019-11-11 at 11:54 +0000, Chris Smith wrote:
It occurs to me though that these mechanisms would be an obvious
vector for a DOS attack, by maliciously blacklisting harmless IP
blocks. I don’t know what measures (if any) denyhosts has taken to
prevent that.
I should have mentioned that I do use some community lists too. The
main point though I was attempting to convey was that I would consider
it beneficial if the blocking was done on a router upstream from the
VPS rather on the VPS itself.
Then my point is perhaps even more valid, and also raises questions about
unwanted censorship. How would I opt out if I needed to? Perhaps I want
to analyse such traffic, or use it to test my own protection software. One
man’s scat is another man’s fetish. This seems to me far too problematic
for what little benefit there is.
Chris
—
Chris Smith <space.dandy(a)icloud.com>
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users