Recommendations on intrusion prevention/detection?

Michael Peddemors michael at linuxmagic.com
Thu Apr 23 01:02:32 EEST 2020 

On 2020-04-22 2:52 p.m., byalefp at yahoo.com.br wrote:
> Usually I use pfsense as main firewall with snort blocking all kind of 
> scans and others.
> 
> Fail2ban triggering after 3 unsuccessful tries and for last iptables if 
> Linux or ipfw If Freebsd
> 
> Keep pfsense synced with intrusion lists is an must have.
> 
> And for last, bans are not temporary on my setup, are forever, except if 
> an real user after validate his info / data calls to unblock him.
> 
> There's some guides around about deal with post screen, but never get 
> that working... RBL and spamhaus lists on mail server and on DNS are 
> another must have.
> 
> Good luck
> 
> Atenciosamente,

Just one comment.. permanent iptables bans on SSL/TLS authentication 
ports is no longer a viable option, eg.. you would not want to block the 
airports's IP, just because one person had an infection on his laptop..

Carrier Grade NAT, WIFI hotspots etc all would be affected.

Long term, move towards 2FA, short term block specific user auth/IP 
combinations, but that won't happen in iptables.. Our case it is 
proprietary methods, but using a memcache entry is a highly scalable way 
to record suspicious login attempts with enough information so that you 
only block the attacker, and not the IP for varying lengths of time.

Or as mentioned, temp blocking with fail2ban is an option that is 
workable and easy for most people.



-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

More information about the dovecot mailing list