[plug] 21nails and exim4

Brad Campbell brad at fnarfbargle.com
Sun May 9 19:57:13 AWST 2021 

On 9/5/21 8:00 am, William Kenworthy wrote:
> Hi Brad,
> 
> I am finding firewalling in general is a big pain these days and getting
> less and less useful because of phones and IoT devices.  I have found
> that the longer you run F2B that the rate of probes drops a lot but you
> only need to appear on the Internet for few probes and the cycle starts
> again :(  I do suspect they randomly throw packets at every possible
> internet address waiting for a host to appear so it can receive
> attention.  To me the value of F2B is that once it triggers, I am
> invisible to and have nothing to do with that host for a considerable time.

Yeah, minimising the attack surface seems to be the best approach, but it obviously has limits when you want to be accessible to the world.

I still run "iptables -m recent" based "port knocking" on ssh locally, and use the recent match to drop smtp servers that get too friendly. Both of those have been effective, but laying fail2ban on top has been an interesting exercise.

I run a VPS/Container over East that is OpenVZ based, and a while back the admins broke / reconfigured iptables such that the recent match (or in fact anything reliant on conntrack) doesn't work inside the container anymore, so I decided to give fail2ban a go. It does ok, but it's more of a sledge hammer than a scalpel. I've avoided installing it for years, but it was easy enough to set up to get the basics working (I only needed it for exim).
 
> Set F2B to be on a hair trigger and significantly increase the ban and
> especially the recidive ban times helps - at least during the ban times
> they cant get anything useful.  I am also using ipset ban lists from
> "firehol" also feeding F2B to increase the coverage.  The problem is, as
> with any reactive setup it takes maintenance with white and blacklists
> and you get an occasional self-DOS.
> 
> I don't do anything with ipv6 (just blackhole everything coming in/out)
> - can anyone comment if its better or worse than ipv4? 

IPv6 has been on my todolist for quite a while, but I really want to transition to nftables before I switch that on anywhere.

Regards,
Brad

More information about the plug mailing list