Re: sucessor for denyhosts?

To: debian-user Mailing List <debian-user@lists.debian.org>
Subject: Re: sucessor for denyhosts?
From: Roger Price <debian@rogerprice.org>
Date: Sat, 9 Mar 2019 13:08:34 +0100 (CET)
Message-id: <[🔎] alpine.LSU.2.20.1903091241270.7105@titan>
In-reply-to: <[🔎] d452af7a-68db-43ec-856f-35cc1efab216@merit.unu.edu>
References: <[🔎] 1618824.pi8cipN3Ao@protheus2> <[🔎] d452af7a-68db-43ec-856f-35cc1efab216@merit.unu.edu>

On Sat, 9 Mar 2019, mj wrote:

We are using fail2ban to do this. It offers many more options, and works bycreating iptables rules. This gives you much more control over what portsexactly are blocked.
Plus I think (correct me if Im wrong) that using /etc/hosts.deny to blockaccess only works with programs that are compiled to do so, and iptables willalways work.

/etc/hosts.deny is part of TCP Wrappers for which Wietse Venema stoppedmaintenance in 1995. See https://en.wikipedia.org/wiki/TCP_Wrappers . See alsoOctober 2014 Linux Weekly News article https://lwn.net/Articles/615173/

I find that it is much easier to use an ipset with set type hash:net to definethe IP nets and addresses that are to be rejected. It avoids messing with theiptable commands. The ipset can be initialized with the IP addresses oforiginating countries to be rejected using block lists such as those athttp://ipverse.net/ipblocks/data/countries/ I recommend enabling the counterassociated with each net.

I have had no problems with ipsets of over 140000 sub-net entries. I wouldn'tlike to do that with just iptables.


Roger

Reply to:

Follow-Ups:
- Re: sucessor for denyhosts?
  - From: mj <lists@merit.unu.edu>

References:
- sucessor for denyhosts?
  - From: Hans <hans.ullrich@loop.de>
- Re: sucessor for denyhosts?
  - From: mj <lists@merit.unu.edu>

Prev by Date: Re: sucessor for denyhosts?
Next by Date: Re: sucessor for denyhosts?
Previous by thread: Re: sucessor for denyhosts?
Next by thread: Re: sucessor for denyhosts?
Index(es):
- Date
- Thread