Combining fail2ban and firewalld Block by Country for a Layered Approach to Intrusion Protection
Ok, so first question... Is the working title too long? :)
I referenced this article for the initial idea: https://www.linode.com/community/questions/11143/top-tip-firewalld-and-ipset...
My basic outline: - Installing and setting up fail2ban, specifically for sshd - Methods to monitor the fail2ban log or get the sshd jail status from fail2ban-client - How to block IPs by country . - Will include: -- The script to largely automate the process -- A SystemD service file and timerl so updates to network addresses are picked up on a regular basis. (monthly?)
If I work on this much more I should probably submit it as a package :)
Next steps?
Thanks, Richard
Richard, sorry this is tardy. I was thinking about someone's (maybe it was Matthew's?) point that the Magazine doesn't want to seem punitive about any countries in particular. Maybe one of the ways to position it is a use case where you run a site that serves a local neighborhood (like an authority, or a business). It would made little sense for a site like that to get a lot of visits from outside the locality, even less so outside the country. So that makes a good backdrop for the article.
The editors could also find an accurate title like "Add security with firewalld with blacklists." It would also be helpful if you have a way to show an additional use of blacklisting that relies on something else like an IP range. However, it's legitimate to also deal with country specific blacklists -- I have a site myself that suffers from periodic attacks from specific places, so I sympathize. Hope this helps!
We have a card set up here: https://teams.fedoraproject.org/project/asamalik-fedora-magazine/us/158 I've added you as a writer so you can start using the WordPress instance for your draft right away: https://fedoramagazine.org/wp-admin
Paul
Paul
On Tue, Apr 21, 2020 at 1:01 PM Richard Shaw hobbes1069@gmail.com wrote:
Ok, so first question... Is the working title too long? :)
I referenced this article for the initial idea: https://www.linode.com/community/questions/11143/top-tip-firewalld-and-ipset...
My basic outline:
- Installing and setting up fail2ban, specifically for sshd
- Methods to monitor the fail2ban log or get the sshd jail status from
fail2ban-client
- How to block IPs by country .
- Will include:
-- The script to largely automate the process -- A SystemD service file and timerl so updates to network addresses are picked up on a regular basis. (monthly?)
If I work on this much more I should probably submit it as a package :)
Next steps?
Thanks, Richard _______________________________________________ Fedora Magazine mailing list -- magazine@lists.fedoraproject.org To unsubscribe send an email to magazine-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/magazine@lists.fedoraproject.o...
On Sun, Apr 26, 2020 at 12:52 PM Paul Frields stickster@gmail.com wrote:
Richard, sorry this is tardy. I was thinking about someone's (maybe it was Matthew's?) point that the Magazine doesn't want to seem punitive about any countries in particular. Maybe one of the ways to position it is a use case where you run a site that serves a local neighborhood (like an authority, or a business). It would made little sense for a site like that to get a lot of visits from outside the locality, even less so outside the country. So that makes a good backdrop for the article.
Yes, it makes much more sense for localized / personal / private networks rather than for commercial sites, and from what I was told, the technical level / audience for Fedora Magazine is on the lower end so I think this aligns well.
The editors could also find an accurate title like "Add security with firewalld with blacklists." It would also be helpful if you have a way to show an additional use of blacklisting that relies on something else like an IP range.
Let me think about that, it wasn't part of the original idea which was around the linode article. I definitely want to mention fail2ban in the title as it's what tells us where the intrusion attempts are coming from.
Ok, so I drafted this email, and then went down the rabbit hole for about an hour...
I've added the ability to block specific IPs as well so it's not just about countries.
As far as the title:
"A layered approach to intrusion prevention with fail2ban and firewalld blacklists"
Still too long?
Thanks, Richard
This is all fantastic, thanks for the extra effort Richard.
I think a good title would be shorter, perhaps: "Protect your site with fail2ban and firewalld blacklists"?
Paul
On Mon, Apr 27, 2020 at 8:46 AM Richard Shaw hobbes1069@gmail.com wrote:
On Sun, Apr 26, 2020 at 12:52 PM Paul Frields stickster@gmail.com wrote:
Richard, sorry this is tardy. I was thinking about someone's (maybe it was Matthew's?) point that the Magazine doesn't want to seem punitive about any countries in particular. Maybe one of the ways to position it is a use case where you run a site that serves a local neighborhood (like an authority, or a business). It would made little sense for a site like that to get a lot of visits from outside the locality, even less so outside the country. So that makes a good backdrop for the article.
Yes, it makes much more sense for localized / personal / private networks rather than for commercial sites, and from what I was told, the technical level / audience for Fedora Magazine is on the lower end so I think this aligns well.
The editors could also find an accurate title like "Add security with firewalld with blacklists." It would also be helpful if you have a way to show an additional use of blacklisting that relies on something else like an IP range.
Let me think about that, it wasn't part of the original idea which was around the linode article. I definitely want to mention fail2ban in the title as it's what tells us where the intrusion attempts are coming from.
Ok, so I drafted this email, and then went down the rabbit hole for about an hour...
I've added the ability to block specific IPs as well so it's not just about countries.
As far as the title:
"A layered approach to intrusion prevention with fail2ban and firewalld blacklists"
Still too long?
Thanks, Richard
Ok, two problems...
1. Wordpress is stuck in "Saving". Should I copy and paste all my text to make sure it isn't lost?
2. Now that I'm writing it I think the article is getting too long. I wonder if it should be broken up into two.
Thanks, Richard
Sorry I wasn't on personal email yesterday -- Hopefully you got your stuff taken care of. In those case, copy/paste is of course a good backup plan.
I looked at the article today and it doesn't look too long. We've had significantly longer articles in the past. Better to cover this in one shot given the specificity of the topic.
Paul
On Tue, Apr 28, 2020 at 8:23 AM Richard Shaw hobbes1069@gmail.com wrote:
Ok, two problems...
Wordpress is stuck in "Saving". Should I copy and paste all my text to make sure it isn't lost?
Now that I'm writing it I think the article is getting too long. I wonder if it should be broken up into two.
Thanks, Richard
magazine@lists.fedoraproject.org
-
Paul Frields -
Richard Shaw