under another kind of attack
Tanstaafl
tanstaafl at libertytrek.org
Mon Jul 31 19:03:36 EEST 2017
On Sat Jul 29 2017 13:44:53 GMT-0400 (Eastern Standard Time), Doug
Barton <dougb at dougbarton.us> wrote:
> On 07/25/2017 07:54 AM, mj wrote:
>> Since we implemented country blocking,
>
> Please don't do that. Balkanizing the Internet doesn't really benefit
> anyone, and makes innovation a lot more difficult.
Your use of the term 'balkanizing' is in reality an attempt to balkanize
this list/thread.
In reality, when you (the sysadmin) know with absolutely certainty that
no one from certain countries should ever be logging into one or more
servers/services you provide, outright blocking based on those country's
is not only a good idea, it is common sense.
In our case - all of our email users are in the USA, and virtually never
travel outside the USA. Why then should I leave our mail servers open to
people in Russia, China, Saudi Arabia, etc, when we have no users there?
This does not create a contentious situation for anyone other than
hackers from foreign countries trying to access our systems - unless you
think that hackers attempting to hack into systems they have no right to
access have some kind of 'right' nevertheless to be able to try, thus
have a legitimate 'compliant' about me blocking their entire country.
This is not a 'security through obscurity' argument. Geo-blocking can
dramatically reduce the risk to systems that, again, have no legitimate
users in said countries, and improve the signal-to-noise ratio of logs
as well.
> Instead, take a look at the fail2ban scenarios in this thread, which
> solve the actual problem with a precision tool, instead of a hammer.
Fail2ban doesn't work against distributed attacks that use a different
IP address each time.
While I agree that the combination of methods being discussed in this
thread are valuable, their use, in combination with outright blocking
entire swaths of sources of attacks, is an an even better way to protect
ones systems.
Of course, the above doesn't and cannot apply to servers/services that
*do* deal with users from all over the world.
As well, if you don't have users who need to be able to log in from many
foreign countries, you are free to disagree and leave your systems
unnecessarily open to such attacks if you like, but that doesn't mean
you get to attack others with impunity who recognize the sanity of such
measures under appropriate circumstances.
More information about the dovecot
mailing list