Simple method for blocking all non North American traffic?
I have hardened my WP / Moodle server, added FailBan, etc… But still get so much probing and what feels like attacks from Russia, China, Indonesia, India…
Is there a simple way in Linode to block all access to a community maintained set of bad actors? A GUI would be nice if possible, but I can work with the terminal as well. I am familiar with IPtables, etc - I was just hoping for a simple, GUI-based method from Linode.
Yes, I know not all the traffic from those countries is "bad" but at this point, it's something I want to do.
Thanks!
1 Reply
You write:
Is there a simple way in Linode to block all access to a community maintained set of bad actors?
No.
A GUI would be nice if possible, but I can work with the terminal as well. I am familiar with IPtables, etc - I was just hoping for a simple, GUI-based method from Linode.
No such animal exists. I developed a system for building blacklists from publicly available internet information (countries, ASNs and IPs/subnets) but it's a big chunk of Ruby code to gather the info, consolidate it (make sure IPs are not contained in subnets, looking for overlapping subnets and modifying entries accordingly, etc).
Once the information was gathered and reduced, it was compiled into lists suitable for installation into an ipfilter firewall with rules for blocking ipsets.
While it works well and was pretty effective, it required a lot of care/feeding because the information sources changed. It consumed a lot of resources to run and, once completed, consumed lots of resources in kernel memory to hold the resultant ipsets.
What I suggest is the following:
- make judicious use of IPv6 (esp for mail and ssh)…this seems to foil a lot of 'bots that try to brute-force ssh and IMAP (although this situation will change eventually);
- learn how fail2ban works and write your own rules (this will require some familiarity with python and regular expressions)…make the ban times very long (30 days) and adjust the detect times accordingly (unfortunately, adjusting detect times is a manual process and there is no published set of "optimal" detect times.
When setting up fail2ban make it add/delete abusers from an ipset instead of creating individual rules…this makes managing ipfilter rules fairly straightforward (they never change). Managing ipset contents is a lot easier!
If you run a web server, you can check out this guys work and implement it accordingly: https://github.com/mitchellkrogza.
I hope this helps.
-- sw