On Sat Jul 29 2017 13:44:53 GMT-0400 (Eastern Standard Time), Doug Barton dougb@dougbarton.us wrote:
On 07/25/2017 07:54 AM, mj wrote:
Since we implemented country blocking,
Please don't do that. Balkanizing the Internet doesn't really benefit anyone, and makes innovation a lot more difficult.
Your use of the term 'balkanizing' is in reality an attempt to balkanize this list/thread.
In reality, when you (the sysadmin) know with absolutely certainty that no one from certain countries should ever be logging into one or more servers/services you provide, outright blocking based on those country's is not only a good idea, it is common sense.
In our case - all of our email users are in the USA, and virtually never travel outside the USA. Why then should I leave our mail servers open to people in Russia, China, Saudi Arabia, etc, when we have no users there?
This does not create a contentious situation for anyone other than hackers from foreign countries trying to access our systems - unless you think that hackers attempting to hack into systems they have no right to access have some kind of 'right' nevertheless to be able to try, thus have a legitimate 'compliant' about me blocking their entire country.
This is not a 'security through obscurity' argument. Geo-blocking can dramatically reduce the risk to systems that, again, have no legitimate users in said countries, and improve the signal-to-noise ratio of logs as well.
Instead, take a look at the fail2ban scenarios in this thread, which solve the actual problem with a precision tool, instead of a hammer.
Fail2ban doesn't work against distributed attacks that use a different IP address each time.
While I agree that the combination of methods being discussed in this thread are valuable, their use, in combination with outright blocking entire swaths of sources of attacks, is an an even better way to protect ones systems.
Of course, the above doesn't and cannot apply to servers/services that *do* deal with users from all over the world.
As well, if you don't have users who need to be able to log in from many foreign countries, you are free to disagree and leave your systems unnecessarily open to such attacks if you like, but that doesn't mean you get to attack others with impunity who recognize the sanity of such measures under appropriate circumstances.