On 07/25/2017 07:54 AM, mj wrote:> Since we implemented country blocking,Please don't do that. Balkanizing the Internet doesn't really benefit anyone, and makes innovation a lot more difficult. Instead, take a look at the fail2ban scenarios in this thread, which solve the actual problem with a precision tool, instead of a hammer. Doug
Hi Doug, On 07/29/2017 07:44 PM, Doug Barton wrote:> Instead, take a look at the fail2ban scenarios in this thread, which > solve the actual problem with a precision tool, instead of a hammer.I have implemented (most of) those as well, and additionally choose to also block certain countries. It helps tremendously. MJ
On 07/29/2017 07:44 PM, Doug Barton wrote:> On 07/25/2017 07:54 AM, mj wrote: >> Since we implemented country blocking, > > Please don't do that. Balkanizing the Internet doesn't really benefit > anyone, and makes innovation a lot more difficult.Perhaps I need to be more specific: I block certain countries from accessing imap/smtp directly, as that is where all the botnets seem to be trying their passwords. I do not block entire countries from accessing us completely (the hammer) but rather block their access of imap and smtp for my mailserver. (this is what I like to see as a precision tool) For the record I improved my iptables rules a lot compared to the mail you replied to. I am now using a chain, like this:> $IPTABLES -N filter_countries > $IPTABLES -A filter_countries -m geoip --src-cc CN,AG,MX,etc -j DROP > $IPTABLES -A filter_countries -m geoip --src-cc MD,SD,SS,etc -j DROPand then:> $IPTABLES -I INPUT 1 -p tcp --dport 143 -j filter_countries > $IPTABLES -I INPUT 1 -p tcp --dport 993 -j filter_countries > $IPTABLES -I INPUT 1 -p tcp --dport 465 -j filter_countriesThis makes it a lot more efficient, compared to the (many) rules I was using earlier. MJ
At a bare minimum, do the same blocking for AWS. The jq program mentioned on the page works great. http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html I block the cloud services as they hack me. There aren't many left that I haven't seen. Sadly my VPS, Digital Ocean, has an email hacker that I just can't get DO to shut down. I assure you I'm costing them plenty in tech support. You can do a search on stretchoid.com if you want to learn more about the offender. I have an additional list of EDU ip addresses that probably are doing research, but won't let me opt out. bgp.he.net is one way to get IP space listings. ? Original Message ? From: lists at merit.unu.edu Sent: July 29, 2017 11:39 AM To: dovecot at dovecot.org Subject: Re: under another kind of attack On 07/29/2017 07:44 PM, Doug Barton wrote:> On 07/25/2017 07:54 AM, mj wrote: >> Since we implemented country blocking, > > Please don't do that. Balkanizing the Internet doesn't really benefit > anyone, and makes innovation a lot more difficult.Perhaps I need to be more specific: I block certain countries from accessing imap/smtp directly, as that is where all the botnets seem to be trying their passwords. I do not block entire countries from accessing us completely (the hammer) but rather block their access of imap and smtp for my mailserver. (this is what I like to see as a precision tool) For the record I improved my iptables rules a lot compared to the mail you replied to. I am now using a chain, like this:> $IPTABLES -N filter_countries > $IPTABLES -A filter_countries -m geoip --src-cc CN,AG,MX,etc -j DROP > $IPTABLES -A filter_countries -m geoip --src-cc MD,SD,SS,etc -j DROPand then:> $IPTABLES -I INPUT 1 -p tcp --dport 143 -j filter_countries > $IPTABLES -I INPUT 1 -p tcp --dport 993 -j filter_countries > $IPTABLES -I INPUT 1 -p tcp --dport 465 -j filter_countriesThis makes it a lot more efficient, compared to the (many) rules I was using earlier. MJ
Am 29.07.2017 um 20:29 schrieb mj:> Hi Doug, > > On 07/29/2017 07:44 PM, Doug Barton wrote: >> Instead, take a look at the fail2ban scenarios in this thread, which >> solve the actual problem with a precision tool, instead of a hammer. > > I have implemented (most of) those as well, and additionally choose to > also block certain countries. It helps tremendously. > > MJYou can only use strict geoip blocking as long as your users do not travel so this is not a solution in most cases. But you can use geoip in an "anomal filter" which compares more informations i.e a user is recent logged in germany so normally he dont want to be logged in from china at the same time, additional count bad logins using some magic formula and he will blocked auto etc, this will prevent hacking and abuse accounts too. Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On Sat Jul 29 2017 13:44:53 GMT-0400 (Eastern Standard Time), Doug Barton <dougb at dougbarton.us> wrote:> On 07/25/2017 07:54 AM, mj wrote: >> Since we implemented country blocking, > > Please don't do that. Balkanizing the Internet doesn't really benefit > anyone, and makes innovation a lot more difficult.Your use of the term 'balkanizing' is in reality an attempt to balkanize this list/thread. In reality, when you (the sysadmin) know with absolutely certainty that no one from certain countries should ever be logging into one or more servers/services you provide, outright blocking based on those country's is not only a good idea, it is common sense. In our case - all of our email users are in the USA, and virtually never travel outside the USA. Why then should I leave our mail servers open to people in Russia, China, Saudi Arabia, etc, when we have no users there? This does not create a contentious situation for anyone other than hackers from foreign countries trying to access our systems - unless you think that hackers attempting to hack into systems they have no right to access have some kind of 'right' nevertheless to be able to try, thus have a legitimate 'compliant' about me blocking their entire country. This is not a 'security through obscurity' argument. Geo-blocking can dramatically reduce the risk to systems that, again, have no legitimate users in said countries, and improve the signal-to-noise ratio of logs as well.> Instead, take a look at the fail2ban scenarios in this thread, which > solve the actual problem with a precision tool, instead of a hammer.Fail2ban doesn't work against distributed attacks that use a different IP address each time. While I agree that the combination of methods being discussed in this thread are valuable, their use, in combination with outright blocking entire swaths of sources of attacks, is an an even better way to protect ones systems. Of course, the above doesn't and cannot apply to servers/services that *do* deal with users from all over the world. As well, if you don't have users who need to be able to log in from many foreign countries, you are free to disagree and leave your systems unnecessarily open to such attacks if you like, but that doesn't mean you get to attack others with impunity who recognize the sanity of such measures under appropriate circumstances.