One problem would be that these unwanted IPs change and you could be
blocking the puppet not the puppet-master.
One system I have been using is to put SSH on an alternative port. When any
IP queries port 22, it is added to a blacklist set with a fixed timeout.
Everytime that IP visits any port its timeout is reset to the original
value. Bit like fail2ban does. By experiment I have found a day in the
sinbin is about the right balance. A couple of lines or so of code does it.
My thinking was nobody has any legit reason for visiting port 22, and if
they are up to no good there then they are probably up to no good
elsewhere. I added port 23 to the rule as well
On Mon, 11 Nov 2019 at 12:29, Chris Smith via users <users@???>
wrote:
>
> On 11 Nov 2019, at 12:01, Conrad Wood <cnw@???> wrote:
>
> On Mon, 2019-11-11 at 11:54 +0000, Chris Smith wrote:
>
>
> It occurs to me though that these mechanisms would be an obvious
> vector for a DOS attack, by maliciously blacklisting harmless IP
> blocks. I don’t know what measures (if any) denyhosts has taken to
> prevent that.
>
>
> I should have mentioned that I do use some community lists too. The
> main point though I was attempting to convey was that I would consider
> it beneficial if the blocking was done on a router upstream from the
> VPS rather on the VPS itself.
>
>
> Then my point is perhaps even more valid, and also raises questions about
> unwanted censorship. How would I opt out if I needed to? Perhaps I want
> to analyse such traffic, or use it to test my own protection software. One
> man’s scat is another man’s fetish. This seems to me far too problematic
> for what little benefit there is.
>
> Chris
> —
> Chris Smith <space.dandy@???>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
