On 08/24/2015 08:27 AM, Bernhard Voelker wrote:
On 08/21/2015 09:12 PM, John Andersen wrote:
Carlose: I'm sure you realize the both susefirewall and shorewall do nothing but manage iptables rules and install them as the interface is booted.
Never the less, a huge ban list slows EVERY packet, as each must be checked against the ban list. Banning entire subnets is more efficient. One note to all those kinds of solution, i.e., something reading the logs and inserting an entry into iptables:
on virtual servers, the resources might be rather limited. E.g. on mine at 1und1, I've even seen a situation where the whole virtual server wasn't reachable anymore due to a bigger iptables list - neither via ssh nor via any other port like that of apache. I don't remember exactly, but I think that limit was surprisingly small ... like 128 blocked IPs.
If that is true then this is not a feasible solution at all. Ideally for something like that to function it would have to have an efficient search, an array or sorted list for the first field (for IPv4) with another beneath (that's 64k references) and sorted lists or even linked lists beneath that. Checking for a match would then take 2 array lookups and a binary search. Or two array lookups, a shift, a bucket lookup, a search within the bucket. But doing a linear search along a long list; that is not really specialised or workable functionality :-/. There is something called ipset that does this thing with lightning speed: https://forums.gentoo.org/viewtopic-t-863121.html My current firewall tool (Vuurmuur) just adds individual rules to a BLOCKLIST input chain which lists all the IPs individually: BLOCK all -- 182.100.67.59 anywhere BLOCK all -- anywhere 182.100.67.59 BLOCK all -- 23.30.65.218.broad.xy.jx.dynamic.163data.com.cn anywhere BLOCK all -- anywhere 23.30.65.218.broad.xy.jx.dynamic.163data.com.cn BLOCK all -- 45.114.11.54 anywhere BLOCK all -- anywhere 45.114.11.54 Moreover, it adds 2 rules per IP address, one incoming and one outgoing. In "ipset" it would all be replaced by a single rule. I have yet to find out how to enable this. Regards, Bart.
The most effective things are * to move to a different port, * to disallow password authentication, * to enable only 1 certain user (not 'root', obvisouly).
On top of that, one may run fail2ban or similar solutions, but I think you won't get more than one entry per week.
Have a nice day, Berny
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org