Actually I think that there should be more emphasis on proactive defense. For example if somebody from certain IPv4 is scanning ports of your system, you should block his/her IPv4 for some time. If somebody is trying to log to your SSH server, you should block his/her IP after a few failed attempts.
I have a script that downloads once in 48 hours files from iblocklist.com and is blocking via pf table these IPs.
Unfortuntely IPv6 address space is much bigger and I don't know whether if blocklist are viable solutions in IPv6, but nowadays my ISP doesn't gave me IPv6 connectivity so I don't bother yet.
I also think that some filtering should be done in upper layers for example drop packets that are not DNS packets but they are flowing through 53 UDP port or filter http headers. You can usually do this, to some degree, by proxy.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
|