byalefp at yahoo.com.br
2020-Apr-22 22:56 UTC
Recommendations on intrusion prevention/detection?
<div dir='auto'>Iptables or ipfw you always can create tables / chains and feed those with desirable IP's to ban.<div dir="auto"><br></div><div dir="auto">Something like fail2ban does. Make a big list, remove one or other IP.</div><div dir="auto"><br></div><div dir="auto">On my setup, I got all IP's from all services and concatenate them for an local ban as fallback... (From Apache logs, from email logs, from API logs, etc...)</div><div dir="auto"><br></div><div dir="auto">Snort and similar services, sometimes while are updating they list, get down the analysis allowing this way an attacker bypass while updating...</div><div dir="auto"><br></div><div dir="auto">Keep an shared list blocking locally as 2nd layer firewall help on those situations.</div><div dir="auto"><br></div><div dir="auto">For the list, make your choice, an open API... Some txt's, etc... Crontab running every X minutes and you would be fine.</div><div dir="auto"><br></div><div dir="auto">About airport's and similar situations, if you are an corporate Enterprise, usually your employee's have an data plan from same ISP, so on this situation Enterprise usually do an quota for those and there's no need about use open WiFi.</div><div dir="auto"><br></div><div dir="auto">There's no bullet silver, everyone need see what's work in your particular scenario.<br><br><div data-smartmail="gmail_signature" dir="auto"><br><br>Regards,<br><br><br><br><br>Alexandre Fernandes Pedrosa<br><br><br>-------<br>Visite: https://alexandrepedrosa.com<br><br><br>PGP Key: https://alexandrepedrosa.com/keys/0xE830E3336A873BE6.asc<br><br>Fingerprint: 4D63 0DEC FDA4 A8D3 DF75 94DB E830 E333 6A87 3BE6 <br><br><br>Esta mensagem incluindo seus anexos tem caráter confidencial e seu conteúdo restrito ao destinatário da mensagem. Se você recebeu esta mensagem por engano, queira por favor retornar o e-mail e apagá-la de seus arquivos.<br><br>Qualquer uso não autorizado ou disseminação desta mensagem ou parte dela é expressamente proibido.<br><br><br>Note: "The contents of this e-mail are confidential and may be privileged.<br><br>This e-mail is intended for the exclusive use of the addressee(s) state under.<br><br>If you are not the intended addressee, please contact us immediately and delete this message from your computer, you should not copy this e-mail or disclose its contents to any other person."</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">Em 22 de abr de 2020 19:02, Michael Peddemors <michael@linuxmagic.com> escreveu:<br type="attribution" /><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">On 2020-04-22 2:52 p.m., byalefp@yahoo.com.br wrote: <br>> Usually I use pfsense as main firewall with snort blocking all kind of <br> > scans and others. <br> > <br> > Fail2ban triggering after 3 unsuccessful tries and for last iptables if <br> > Linux or ipfw If Freebsd <br> > <br> > Keep pfsense synced with intrusion lists is an must have. <br> > <br> > And for last, bans are not temporary on my setup, are forever, except if <br> > an real user after validate his info / data calls to unblock him. <br> > <br> > There's some guides around about deal with post screen, but never get <br> > that working... RBL and spamhaus lists on mail server and on DNS are <br> > another must have. <br> > <br> > Good luck <br> > <br> > Atenciosamente, <br><br> Just one comment.. permanent iptables bans on SSL/TLS authentication <br> ports is no longer a viable option, eg.. you would not want to block the <br> airports's IP, just because one person had an infection on his laptop.. <br> <br> Carrier Grade NAT, WIFI hotspots etc all would be affected. <br> <br> Long term, move towards 2FA, short term block specific user auth/IP <br> combinations, but that won't happen in iptables.. Our case it is <br> proprietary methods, but using a memcache entry is a highly scalable way <br> to record suspicious login attempts with enough information so that you <br> only block the attacker, and not the IP for varying lengths of time. <br> <br> Or as mentioned, temp blocking with fail2ban is an option that is <br> workable and easy for most people. <br> <br> <br> <br> -- <br> "Catch the Magic of Linux..." <br> ------------------------------------------------------------------------ <br> Michael Peddemors, President/CEO LinuxMagic Inc. <br> Visit us at http://www.linuxmagic.com @linuxmagic <br> A Wizard IT Company - For More Info http://www.wizard.ca <br> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. <br> ------------------------------------------------------------------------ <br> 604-682-0300 Beautiful British Columbia, Canada <br> <br> This email and any electronic data contained are confidential and intended <br> solely for the use of the individual or entity to which they are addressed. <br> Please note that any views or opinions presented in this email are solely <br> those of the author and are not intended to represent those of the company. <br> </p> </blockquote></div><br></div>