On 04/17/2017 12:26 PM, Mathias Homann wrote:
Am Montag, 17. April 2017, 12:14:04 CEST schrieb Rüdiger Meier:
complicated and unsafe solutions like xtables-geoip or Fail2ban.
"needs citation".
or in other words, where did you get that from, especially the "unsafe"?
It's obvious that externally maintained IP blacklists or whitelists make theses third party maintainers able to change your iptables rules to whatever they want. Or think about serious attackers like NSA who are surely able to use IPs which are not listed in any geoip database. And geoip can't be 100% correct at all. There is always a risk that you will block yourself although you only wanted to blacklist Chinese IPs. Fail2ban allows DoS. For example an arbitrary user on an ssh-client (or within your single-IP NAT’d network) machine may cause all other users to be banned from the ssh server. Moreover in general IP based security is never really secure. This is also true for my ipv6-only approach. All this blacklisting or hiding is IMO only worth to get rid of some ugly logs. cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org