View Single Post
  #5   (View Single Post)  
Old 18th August 2016
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Actually I think that there should be more emphasis on proactive defense. For example if somebody from certain IPv4 is scanning ports of your system, you should block his/her IPv4 for some time. If somebody is trying to log to your SSH server, you should block his/her IP after a few failed attempts.
I have a script that downloads once in 48 hours files from iblocklist.com and is blocking via pf table these IPs.
Unfortuntely IPv6 address space is much bigger and I don't know whether if blocklist are viable solutions in IPv6, but nowadays my ISP doesn't gave me IPv6 connectivity so I don't bother yet.
I also think that some filtering should be done in upper layers for example drop packets that are not DNS packets but they are flowing through 53 UDP port or filter http headers. You can usually do this, to some degree, by proxy.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote