| ▲ | BLKNSLVR 9 hours ago |
| I have my own system of IP reputation whereby if an IP address hits one of my systems with some probe or scan that I didn't ask for, then it's blocked for 12 months. https://github.com/UninvitedActivity/UninvitedActivity P.S. just to add a note here that I have been blocked out of my own systems occasionally from mobile / remote IPs due to my paranoia-level setup. But I treat that as learning / refinement, but also can accept that as the cost of security sometimes. |
|
| ▲ | Latty 9 hours ago | parent | next [-] |
| My first thought is that with CGNAT ever more present, this kind of approach seems like it'll have a lot of collateral damage. |
| |
| ▲ | BLKNSLVR 9 hours ago | parent | next [-] | | Yeah, my setup is purely for my own security reasons and interests, so there's very little downside to my scorched earth approach. I do, however, think that if there was a more widespread scorched earth approach then the issues like those mentioned in the article would be much less common. | | |
| ▲ | lxgr 8 hours ago | parent | next [-] | | In such a world you can say goodbye to any kind of free Wi-Fi, anonymous proxy etc., since all it would take to burn an IP for a year is to run a port scan from it, so nobody would risk letting you use theirs. Fortunately, real network admins are smarter than that. | | |
| ▲ | BLKNSLVR 7 hours ago | parent | next [-] | | Pretty much. I think there's also a responsibility on the part of the network owner to restrict obviously malicious traffic. Allow anonymous people to connect to your network and then perform port scans? I don't really want any traffic from your network then. Yes, there are less scorched-earth ways of looking at this, but this works for me. As always, any of this stuff is heavily context specific. Like you said: network admins need to be smart, need to adapt, need to know their own contexts. | | |
| ▲ | gzread 6 hours ago | parent [-] | | Do you feel coffee shop WiFi should require you to scan your passport to connect, or that it shouldn't exist at all? | | |
| ▲ | perching_aix 5 hours ago | parent [-] | | Not OP, but the latter sounds pretty good actually, yeah. Never understood the free WiFi craze anyways. Just use cellular? | | |
| ▲ | ipdashc 2 hours ago | parent | next [-] | | Not all of us have cell plans with hotspots ($$$), hotspots often have data caps, cell is often slower or congested, and there are some areas without cell signal. It's also kind of silly from a wider perspective to shove everyone onto the cellular network when most businesses have perfectly decent fiber internet nowadays. Sure, I'm usually on hotspot, but I personally appreciate when businesses have wifi. Either way, there are always going to be shared networks somewhere. | |
| ▲ | gzread 4 hours ago | parent | prev [-] | | And you should require your passport to get one of those? |
|
|
| |
| ▲ | 7 hours ago | parent | prev [-] | | [deleted] |
| |
| ▲ | Gigachad 6 hours ago | parent | prev [-] | | If you actually wanted your site or service to be accessible you’d run in to issues immediately since once IP would have cycled between hundreds of homes in a year. IP based bans have long been obsolete. | | |
| |
| ▲ | abofh 9 hours ago | parent | prev [-] | | For people that implement it there's less than three people who use it, or agencies supporting it | | |
| ▲ | gzread 6 hours ago | parent [-] | | CGNAT? That's definitely not true. There are whole towns that have to share one IP address. They're mostly in the third world. |
|
|
|
| ▲ | ronsor 7 hours ago | parent | prev | next [-] |
| > can accept that as the cost of security sometimes And corporate IT wonders why employees are always circumventing "security policies"... |
| |
| ▲ | BLKNSLVR 7 hours ago | parent [-] | | Additional explanation: this is primarily a personal setup. There would be a lot of refinement and contingencies to implement something like this for corporate / business. Having said that, I still exist on the ruthless side of blocking equation. I'd generally prefer some kind of small allow list than a gigantic block list, but this is how it's (d)evolved. | | |
| ▲ | cortesoft 7 hours ago | parent [-] | | How is this better than blocking after a certain quantity in a range of time instead? Single queries should never be harmful to something openly accessible. DOS is the only real risk, and blocking after a certain level of traffic solves that problem much better with less possibility of a false positive, and no risk to your infrastructure, either. |
|
|
|
| ▲ | 3 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | kevin_thibedeau 9 hours ago | parent | prev | next [-] |
| I perma-ban any /16 that hits fail2ban 100+ times. That cuts down dramatically on the attacks from the usual suspects. |
| |
| ▲ | BLKNSLVR 9 hours ago | parent | next [-] | | I haven't manually reviewed my lists for a while, but I did similar checks for X IP addresses detected from within a /24 block to determine whether I should just block the whole /24. Manual reviewing like this also helped me find a bunch of organisations that just probe the entire IPv4 range on a regular basis, trying to map it for 'security' purposes. Fuck them, blocked! P.S. I wholeheartedly support your choice of blocking for your reasons. | | |
| ▲ | kees99 8 hours ago | parent | next [-] | | > bunch of organisations that just probe the entire IPv4 range on a regular basis Yep, #1 source of junk traffic, in my experience. I set those prefixes go right into nullroute on every server I set up: https://raw.githubusercontent.com/UninvitedActivity/Uninvite... #2 are IP ranges of Azure, DO, OVH, vultr, etc... A bit harder to block those outright. | | |
| ▲ | miyuru an hour ago | parent [-] | | In my servers I dont have IPv4 at all, just IPv6 only. On the plus side, it does not waste CPU cycles used to block unwanted IPv4 traffic. |
| |
| ▲ | efilife an hour ago | parent | prev [-] | | > trying to map it for 'security' purposes. Yes. Fucking censys and internet-measurement and the predatory "opt-out" of scans. What about opting-in to scan my website? Fuck you, i'm blocking you forever |
| |
| ▲ | lxgr 8 hours ago | parent | prev [-] | | Sounds like a great idea until you ever try to connect to your own servers from a network with spammy neighbors. | | |
| ▲ | kees99 7 hours ago | parent | next [-] | | Back in the day - port knocking was a perfect fit for this eventuality. Nowadays, wireguard would probably be a better choice. (both of above of course assume one is to do a sensible thing and add "perma-bans" a bit lower in firewall rules, below "established" and "port-knock") | |
| ▲ | BLKNSLVR 7 hours ago | parent | prev [-] | | Good network admins have contingencies for contingencies for contingencies. |
|
|
|
| ▲ | observationist 9 hours ago | parent | prev | next [-] |
| Nice, thanks for the link. Good to be ruthless about those things when you can. |
|
| ▲ | paulddraper 8 hours ago | parent | prev [-] |
| How often do you ask for probes or scans? |
| |
