Martineau
Part of the Furniture
So I trying to understand the purpose of the script better. Is it that the script looks at the syslog for packets already being dropped by the firewall and puts them in a blacklist ipset
So what is the benefit gained?
Really?
I could ask the same question of you...if the firewall by default DROPs everything inbound why do we need your TOR / Country blocking script?
You can stop reading here if you suspect TL;DR may apply!
So, being paranoid about basic vendor provided firewall security, I firmly believe it is never a waste of time to be proactive and vigilant to utilise efficient tools/techniques to ensure nothing is left to 'chance' when there are daily threats from the internet.
However, as an explanation, here is one scenario:
Suppose I am hosting a service say a website on the standard port 80 or say port 54321 that requires a logon ID and password combo for UK based family and friends.
Where in the above scenario does the default DROP rule get triggered?
Now I can't use your (UK) country blocking script, that would be silly wouldn't it? so how can I differentiate between family members who legitimately should be allowed to attempt access (even after a frustrating failed login due to finger trouble with their password etc.) and some little thievin' scroat or bot?
Q. Could the 'static' lists from say ipdeny help me in anyway? - possibly, it depends.
So I'm not saying that the dynamic IPSET blocking script is foolproof, but at least it gives me the opportunity to be proactive, and possibly take further action i.e. fine tune the criteria to decide if I should add/retain an IP in the dynamic Blacklist.
i.e. why would any of my family/friends want to try and access say all three ports 22,23,25 etc.?... Sod's Law says eventually one of them may be curious but they are all made aware of the consequences and accept that they could embarrassingly find themselves on the naughty step!
Last edited: