This post, I wanted to talk about fail2ban, and how you can use it for more than just blocking common SSH brute force login attempts. You see mention of this as a common defense for that, but since I access my servers from a static IP, I have strict port 22 iptable rules allowing certain IPs. I understand if you have dynamic IP or have the need to travel (and don't have VPN) that this is not an option, and fail2ban is your ticket to protect yourself.
One thing that I've been working on over the years, is to lessen my server load and services from annoying requests. These requests will sap your server of resources and can drastically hamper it's performance. Some great techniques is to use Snort in conjunction with snortsam and the bleeding rule set. One set of rules will block spamhaus IPs for 72 hours. These rules are updated daily, so we can adapt with the changing spam IPs. Why bother with this? Simple, this lessens the interaction of my mail MTA (postfix + mysql). Each requests ties resources from postfix, and I burn mysql connections performing mailbox lookups. If the IP is a know spamhaus IP, snortsam will add this to iptables drop and postfix/mysql isn't bothered with this 'bad' traffic.
Recent comments
9 years 51 weeks ago
10 years 1 day ago
10 years 3 weeks ago
10 years 3 weeks ago
10 years 20 weeks ago
10 years 27 weeks ago
10 years 35 weeks ago
10 years 39 weeks ago
10 years 46 weeks ago
10 years 46 weeks ago